Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Scanned-IMGS_from NomanGroup IDT.scr.exe

Overview

General Information

Sample name:Scanned-IMGS_from NomanGroup IDT.scr.exe
Analysis ID:1590590
MD5:17cbb82b7db7a77df6507dd32af10563
SHA1:816fc79a0d8dc1ea493779e01f21f99c00a9229d
SHA256:744a3efa374159a40ea07cf1c6a295f40fef90685421d20ceda619847dbe6165
Tags:exeuser-lowmal3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found API chain indicative of sandbox detection
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected non-DNS traffic on DNS port
Detected potential crypto function
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • Scanned-IMGS_from NomanGroup IDT.scr.exe (PID: 7520 cmdline: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe" MD5: 17CBB82B7DB7A77DF6507DD32AF10563)
    • svchost.exe (PID: 7540 cmdline: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • zalkpCfMwtnpQo.exe (PID: 4856 cmdline: "C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • verclsid.exe (PID: 7608 cmdline: "C:\Windows\SysWOW64\verclsid.exe" MD5: 190A347DF06F8486F193ADA0E90B49C5)
          • zalkpCfMwtnpQo.exe (PID: 4944 cmdline: "C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 7948 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 3 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine|base64offset|contains: 6j, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ParentImage: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe, ParentProcessId: 7520, ParentProcessName: Scanned-IMGS_from NomanGroup IDT.scr.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ProcessId: 7540, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", CommandLine|base64offset|contains: 6j, Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ParentImage: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe, ParentProcessId: 7520, ParentProcessName: Scanned-IMGS_from NomanGroup IDT.scr.exe, ProcessCommandLine: "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe", ProcessId: 7540, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-14T10:24:28.619902+010028554651A Network Trojan was detected192.168.2.44922313.248.169.4880TCP
                2025-01-14T10:25:01.443609+010028554651A Network Trojan was detected192.168.2.457343206.119.82.17280TCP
                2025-01-14T10:25:14.747221+010028554651A Network Trojan was detected192.168.2.45742767.223.117.14280TCP
                2025-01-14T10:25:28.132064+010028554651A Network Trojan was detected192.168.2.457512162.0.215.24480TCP
                2025-01-14T10:25:41.405894+010028554651A Network Trojan was detected192.168.2.4575833.33.130.19080TCP
                2025-01-14T10:26:03.413361+010028554651A Network Trojan was detected192.168.2.45760338.47.233.5280TCP
                2025-01-14T10:26:16.567525+010028554651A Network Trojan was detected192.168.2.457607104.21.3.19380TCP
                2025-01-14T10:26:29.699619+010028554651A Network Trojan was detected192.168.2.4576113.33.130.19080TCP
                2025-01-14T10:26:43.767121+010028554651A Network Trojan was detected192.168.2.45761520.244.96.6580TCP
                2025-01-14T10:27:05.120371+010028554651A Network Trojan was detected192.168.2.45761984.32.84.3280TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-01-14T10:24:53.839685+010028554641A Network Trojan was detected192.168.2.457319206.119.82.17280TCP
                2025-01-14T10:24:56.387302+010028554641A Network Trojan was detected192.168.2.457320206.119.82.17280TCP
                2025-01-14T10:24:58.924134+010028554641A Network Trojan was detected192.168.2.457327206.119.82.17280TCP
                2025-01-14T10:25:07.096702+010028554641A Network Trojan was detected192.168.2.45737467.223.117.14280TCP
                2025-01-14T10:25:09.625077+010028554641A Network Trojan was detected192.168.2.45739567.223.117.14280TCP
                2025-01-14T10:25:12.197696+010028554641A Network Trojan was detected192.168.2.45741167.223.117.14280TCP
                2025-01-14T10:25:20.684968+010028554641A Network Trojan was detected192.168.2.457463162.0.215.24480TCP
                2025-01-14T10:25:23.176391+010028554641A Network Trojan was detected192.168.2.457479162.0.215.24480TCP
                2025-01-14T10:25:25.619691+010028554641A Network Trojan was detected192.168.2.457496162.0.215.24480TCP
                2025-01-14T10:25:33.752152+010028554641A Network Trojan was detected192.168.2.4575443.33.130.19080TCP
                2025-01-14T10:25:36.292105+010028554641A Network Trojan was detected192.168.2.4575573.33.130.19080TCP
                2025-01-14T10:25:38.843157+010028554641A Network Trojan was detected192.168.2.4575703.33.130.19080TCP
                2025-01-14T10:25:55.782922+010028554641A Network Trojan was detected192.168.2.45760038.47.233.5280TCP
                2025-01-14T10:25:58.319121+010028554641A Network Trojan was detected192.168.2.45760138.47.233.5280TCP
                2025-01-14T10:26:00.896051+010028554641A Network Trojan was detected192.168.2.45760238.47.233.5280TCP
                2025-01-14T10:26:08.910903+010028554641A Network Trojan was detected192.168.2.457604104.21.3.19380TCP
                2025-01-14T10:26:12.082025+010028554641A Network Trojan was detected192.168.2.457605104.21.3.19380TCP
                2025-01-14T10:26:14.006169+010028554641A Network Trojan was detected192.168.2.457606104.21.3.19380TCP
                2025-01-14T10:26:22.054349+010028554641A Network Trojan was detected192.168.2.4576083.33.130.19080TCP
                2025-01-14T10:26:24.615122+010028554641A Network Trojan was detected192.168.2.4576093.33.130.19080TCP
                2025-01-14T10:26:27.168370+010028554641A Network Trojan was detected192.168.2.4576103.33.130.19080TCP
                2025-01-14T10:26:36.262702+010028554641A Network Trojan was detected192.168.2.45761220.244.96.6580TCP
                2025-01-14T10:26:38.809818+010028554641A Network Trojan was detected192.168.2.45761320.244.96.6580TCP
                2025-01-14T10:26:41.356459+010028554641A Network Trojan was detected192.168.2.45761420.244.96.6580TCP
                2025-01-14T10:26:57.375175+010028554641A Network Trojan was detected192.168.2.45761684.32.84.3280TCP
                2025-01-14T10:26:59.898580+010028554641A Network Trojan was detected192.168.2.45761784.32.84.3280TCP
                2025-01-14T10:27:02.468302+010028554641A Network Trojan was detected192.168.2.45761884.32.84.3280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://www.nexula.website/ro4w/Avira URL Cloud: Label: malware
                Source: http://www.wddb97.top/p75v/?OvV=2njD6f80EDOLQ8&wz4=GLmvlUrKOeNEevY3wcyfjSkNrwRDbMR2/x32zMvR34mmT0X9ObY05SVA9W4yUMrr2Yq11ERvKU6w2wYb4X7EbFt4LfTn3Wu5NGMirqATx7GUx0yxlSOAJso=Avira URL Cloud: Label: malware
                Source: http://www.7wkto5nk230724z.click/yysf/Avira URL Cloud: Label: malware
                Source: http://www.nexula.website/ro4w/?wz4=c7bs7cBJE/6WeNDz6y7wfs4csA5ai8mWfunIFb5NDUjHoY3en1z9O1W0OakyKWwaCum+/W1z6qbtx3tl+iJ0V9nyUJg4fcAQQsDkMDUAlXZwvkRINEDVO9c=&OvV=2njD6f80EDOLQ8Avira URL Cloud: Label: malware
                Source: http://www.wddb97.top/p75v/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeVirustotal: Detection: 36%Perma Link
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeReversingLabs: Detection: 44%
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeJoe Sandbox ML: detected
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: zalkpCfMwtnpQo.exe, 00000002.00000002.3547860890.000000000013E000.00000002.00000001.01000000.00000004.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3547855130.000000000013E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699361176.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1701122516.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1729825920.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731375904.0000000003700000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1838981604.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.0000000005060000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1836979825.0000000004D01000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699361176.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1701122516.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1729825920.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731375904.0000000003700000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, verclsid.exe, 00000003.00000003.1838981604.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.0000000005060000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1836979825.0000000004D01000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: verclsid.pdbGCTL source: svchost.exe, 00000001.00000003.1798236689.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829844647.0000000003200000.00000004.00000020.00020000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000002.3548785048.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3550509142.000000000568C000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.000000000333C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2126594180.000000000FEAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: verclsid.pdb source: svchost.exe, 00000001.00000003.1798236689.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829844647.0000000003200000.00000004.00000020.00020000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000002.3548785048.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3550509142.000000000568C000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.000000000333C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2126594180.000000000FEAC000.00000004.80000000.00040000.00000000.sdmp
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C68EE FindFirstFileW,FindClose,0_2_004C68EE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_004C698F
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004BD076
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004BD3A9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C9642
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C979D
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_004C9B2B
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_004BDBBE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_004C5C97
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0303C650 FindFirstFileW,FindNextFileW,FindClose,3_2_0303C650
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 4x nop then xor eax, eax3_2_03029DD0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 4x nop then mov ebx, 00000004h3_2_04E004DF

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:49223 -> 13.248.169.48:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57319 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57374 -> 67.223.117.142:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57343 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57411 -> 67.223.117.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57463 -> 162.0.215.244:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57395 -> 67.223.117.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57327 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57496 -> 162.0.215.244:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57512 -> 162.0.215.244:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57320 -> 206.119.82.172:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57479 -> 162.0.215.244:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57544 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57557 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57570 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57583 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57600 -> 38.47.233.52:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57611 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57607 -> 104.21.3.193:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57619 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57601 -> 38.47.233.52:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57427 -> 67.223.117.142:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57612 -> 20.244.96.65:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57615 -> 20.244.96.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57606 -> 104.21.3.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57604 -> 104.21.3.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57616 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57608 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57602 -> 38.47.233.52:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57618 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57614 -> 20.244.96.65:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.4:57603 -> 38.47.233.52:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57617 -> 84.32.84.32:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57613 -> 20.244.96.65:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57610 -> 3.33.130.190:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57605 -> 104.21.3.193:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:57609 -> 3.33.130.190:80
                Source: global trafficTCP traffic: 192.168.2.4:49221 -> 1.1.1.1:53
                Source: global trafficTCP traffic: 192.168.2.4:57314 -> 162.159.36.2:53
                Source: Joe Sandbox ViewIP Address: 206.119.82.172 206.119.82.172
                Source: Joe Sandbox ViewIP Address: 67.223.117.142 67.223.117.142
                Source: Joe Sandbox ViewIP Address: 162.0.215.244 162.0.215.244
                Source: Joe Sandbox ViewASN Name: COGENT-174US COGENT-174US
                Source: Joe Sandbox ViewASN Name: VIMRO-AS15189US VIMRO-AS15189US
                Source: Joe Sandbox ViewASN Name: ACPCA ACPCA
                Source: Joe Sandbox ViewASN Name: AMAZON-02US AMAZON-02US
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownTCP traffic detected without corresponding DNS query: 162.159.36.2
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CCE44 InternetReadFile,SetEvent,GetLastError,SetEvent,0_2_004CCE44
                Source: global trafficHTTP traffic detected: GET /4qxi/?OvV=2njD6f80EDOLQ8&wz4=2e2Lyydb5YXufeuqFd6wHPkWuEpHgF+t8X6R7x/Chu/ldxqUFwOFXImYee7E7KlqqCMuAjd7uJeZN9yFXwONOjr0nxS6++UxPbCo/R3/4PV751NgF4k6l5M= HTTP/1.1Host: www.thesquare.worldAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /p75v/?OvV=2njD6f80EDOLQ8&wz4=GLmvlUrKOeNEevY3wcyfjSkNrwRDbMR2/x32zMvR34mmT0X9ObY05SVA9W4yUMrr2Yq11ERvKU6w2wYb4X7EbFt4LfTn3Wu5NGMirqATx7GUx0yxlSOAJso= HTTP/1.1Host: www.wddb97.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /ro4w/?wz4=c7bs7cBJE/6WeNDz6y7wfs4csA5ai8mWfunIFb5NDUjHoY3en1z9O1W0OakyKWwaCum+/W1z6qbtx3tl+iJ0V9nyUJg4fcAQQsDkMDUAlXZwvkRINEDVO9c=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.nexula.websiteAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /rpjd/?wz4=yOJpbVbkgz0HtUwQYARMSThcLcopmrPoDVX6GqNwoWWXZF3pcIj1Y13LV6gW4nMVJ2J858d+IDhJ+laaNqfHK1c6MutgW040XFAhxno1AdPNbACR1ywEbhk=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.prediksipreman.fyiAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /qjug/?wz4=VcMkcuIRceq81+g9yOCv0sbld0olDHkRvlNhYh95NOpnwjcC/r1DFPFDhAQ/BZSpNAD5Fbv04pxr6m2h9PMUHq+9H+1HT0zuQhfUSGVBQeWRfQVA8fdlyIU=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.scottconsults.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /dim8/?wz4=SI5ZCVgJbtC8ikIAaDbl0c4+a+swA4Oej6uVn92gSwZctgLMHnh4qXUXZe4N7Wh4DCFNfNClZUM8FDTYBsBE5loeshCr6I6FGtX7Gz1ZeQkIvaXZY4DJTLc=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.2q33e.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /yysf/?OvV=2njD6f80EDOLQ8&wz4=587F8uRRvdNyXp392stmA/LSb7Spi8c8LmJfnRupxm2/Wn33qNRES9K4qtAStdZkGkX6B9loQ5/VkD04mezEqEUp6fJ/QFk+OhJrfgesanG1zCyT/BctW7c= HTTP/1.1Host: www.7wkto5nk230724z.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /otgv/?wz4=mPj2soEUEFmq5Xu56Ev9ENs/GIe87AemMTFSPosGtz7M/tXNad3AOcc3teRO2drll+qYOuNJorQ/HJUWSqoYkO/lFhsMOlB8p4kTaBK5nEPe9NarMUavWdI=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.livingslab.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/LgqczUnn1NrDdL/bN6nwlekL5Do//GTuaTPhPlYdtLOoB+gLN1EC4FlrA=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.quickcommerce.cloudAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficHTTP traffic detected: GET /8vp1/?wz4=/LTgXn1km3iwlVyiegwnGjWZZFB0eLisfcmkyyqxOnWJ8H9CeAgPjsH/KIvj3CyMdhcMqJeWq/63o3TMWNYzsf+ek40CYofT8u9WJYZhwl3Hq5liXp4GPpE=&OvV=2njD6f80EDOLQ8 HTTP/1.1Host: www.xpremio.onlineAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-US,en;q=0.9Connection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like Gecko
                Source: global trafficDNS traffic detected: DNS query: www.thesquare.world
                Source: global trafficDNS traffic detected: DNS query: 15.164.165.52.in-addr.arpa
                Source: global trafficDNS traffic detected: DNS query: www.revolutionmusic.net
                Source: global trafficDNS traffic detected: DNS query: www.wddb97.top
                Source: global trafficDNS traffic detected: DNS query: www.nexula.website
                Source: global trafficDNS traffic detected: DNS query: www.prediksipreman.fyi
                Source: global trafficDNS traffic detected: DNS query: www.scottconsults.top
                Source: global trafficDNS traffic detected: DNS query: www.xtelify.tech
                Source: global trafficDNS traffic detected: DNS query: www.2q33e.top
                Source: global trafficDNS traffic detected: DNS query: www.7wkto5nk230724z.click
                Source: global trafficDNS traffic detected: DNS query: www.livingslab.net
                Source: global trafficDNS traffic detected: DNS query: www.quickcommerce.cloud
                Source: global trafficDNS traffic detected: DNS query: www.cybermisha.store
                Source: global trafficDNS traffic detected: DNS query: www.xpremio.online
                Source: unknownHTTP traffic detected: POST /p75v/ HTTP/1.1Host: www.wddb97.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Origin: http://www.wddb97.topReferer: http://www.wddb97.top/p75v/Cache-Control: no-cacheConnection: closeContent-Length: 200Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; ASU2JS; rv:11.0) like GeckoData Raw: 77 7a 34 3d 4c 4a 4f 50 6d 69 4b 66 54 65 49 42 4d 75 74 42 7a 76 7a 46 72 68 49 79 71 51 77 62 52 4f 74 6a 6b 7a 54 52 76 2b 50 44 34 49 43 4c 57 31 6e 35 4b 4c 78 48 37 68 34 66 31 56 64 51 52 62 62 2b 78 65 32 53 74 58 64 38 64 68 61 41 77 46 6f 56 2f 32 7a 6d 54 46 52 6f 48 38 61 58 6b 6b 65 37 4d 33 34 37 69 71 35 63 72 72 2b 54 31 58 79 44 6d 53 6d 79 64 73 35 58 66 41 70 79 6d 4b 4b 70 62 71 30 30 79 77 6b 49 73 6d 4a 48 45 6e 70 77 59 71 61 75 76 47 73 4c 50 52 31 74 59 71 73 37 66 4e 75 6d 41 61 35 74 50 39 79 2f 78 4c 6e 39 73 78 61 37 62 70 72 32 67 50 38 6e 2b 47 53 6c 46 67 3d 3d Data Ascii: wz4=LJOPmiKfTeIBMutBzvzFrhIyqQwbROtjkzTRv+PD4ICLW1n5KLxH7h4f1VdQRbb+xe2StXd8dhaAwFoV/2zmTFRoH8aXkke7M347iq5crr+T1XyDmSmyds5XfApymKKpbq00ywkIsmJHEnpwYqauvGsLPR1tYqs7fNumAa5tP9y/xLn9sxa7bpr2gP8n+GSlFg==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:24:53 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:24:56 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:24:58 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:25:01 GMTContent-Type: text/htmlContent-Length: 138Connection: closeETag: "66aa3a46-8a"Data Raw: 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:25:07 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:25:09 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:25:12 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:25:14 GMTServer: ApacheContent-Length: 389Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 77 69 6e 64 6f 77 73 2d 31 32 35 32 22 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 70 3e 41 64 64 69 74 69 6f 6e 61 6c 6c 79 2c 20 61 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0a 65 72 72 6f 72 20 77 61 73 20 65 6e 63 6f 75 6e 74 65 72 65 64 20 77 68 69 6c 65 20 74 72 79 69 6e 67 20 74 6f 20 75 73 65 20 61 6e 20 45 72 72 6f 72 44 6f 63 75 6d 65 6e 74 20 74 6f 20 68 61 6e 64 6c 65 20 74 68 65 20 72 65 71 75 65 73 74 2e 3c 2f 70 3e 0a 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e Data Ascii: <!DOCTYPE html PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL was not found on this server.</p><p>Additionally, a 404 Not Founderror was encountered while trying to use an ErrorDocument to handle the request.</p></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 14 Jan 2025 09:25:20 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 3f 1a d5 25 2b 2b f3 cb cc 9a cc fa ed b7 df 1e ff 89 5b b0 2b 53 e5 07 41 95 c4 df 7e 7b 7c fe 33 00 ed 31 70 2d e7 db 6f 97 9f 89 5b 59 60 46 95 df bb c7 3a 6c 9e ee d8 2c ad dc b4 ba af 4e b9 7b 37 b0 9f bf 9e ee 2a b7 ab e0 9e c4 5f 06 76 60 15 a5 5b 3d d5 95 77 4f dd 7d 4a c7 b2 03 f7 be 5f 5f 64 f1 15 a1 34 bb b7 fb a1 4f 17 aa 85 e5 27 d6 3f b2 82 ef f2 b0 70 cb ab 25 c8 3b ea a9 95 b8 4f 77 4d e8 b6 79 56 54 57 d3 da d0 a9 82 27 c7 6d 42 db bd bf 7c 7c 19 84 69 58 85 56 7c 5f da 56 ec 3e a1 5f bf 93 aa c2 2a 76 bf 11 08 31 50 b2 6a 30 c9 ea d4 79 84 9f 3b 9f 45 59 56 a7 d8 1d f4 72 7b 11 97 5d 96 2f 7c f4 a2 de 67 ce 69 f0 f7 cb d4 fe b3 6f 1e 90 ce bd 67 25 61 7c 7a 18 d0 05 d8 f6 cb 40 74 e3 c6 ad 42 db fa 32 28 ad b4 bc 2f dd 22 f4 fe f2 e3 b2 32 3c bb 0f 03 94 c8 bb f7 83 71 98 ba f7 81 1b fa 41 05 86 bf 12 18 45 8e 50 02 1b bf 9f b5 b7 ec c8 2f fa 33 00 15 c5 59 f1 30 f8 67 ef d2 de 4f 7b 1d c3 26 38 86 23 ef c7 72 cb 71 c2 d4 7f 18 dc f4 27 56 e1 87 e9 bb ee ff fc ce 7e e9 da 55 98 a5 5f c0 d1 b3 ca 2d 6e e4 e1 84 65 1e 5b 40 16 fb 38 b3 a3 ff 83 ed be f6 f8 b3 80 44 6e 77 7a 66 f2 3e 76 3d 20 25 ab ae b2 f7 9b bd 0c 17 cf 52 fc 71 fc ed ec 03 14 b9 d6 c0 db 49 bf 02 44 e6 59 5a ba f7 61 ea 65 37 07 7d 95 2b 7b 69 6f 7b 5f 2d 2f 2b ab aa 4b a0 1d c7 bd 59 7c 41 cd b3 fa 49 04 f9 97 3f 5a 5d b8 56 99 a5 9f af c7 c8 eb f5 3d 24 3f 53 c1 15 67 17 99 da d5 e5 5c 5f be 6b 16 9c b7 df eb be 77 14 37 1b be 9e 16 b9 b4 0f f9 ed b1 d4 03 03 18 de 07 e2 ba 42 6b e1 e6 ae 05 74 06 dc c8 f3 cf 37 72 3d fb 57 33 5f 77 c5 c6 38 4d d0 ef a7 bd 8e 4d 2e ed 6d ec ea 94 b7 1c 59 9f 1c ea d7 49 dc 87 95 9b 94 37 64 be 23 09 03 38 fa c1 94 c2 f4 cd 94 c7 f8 27 40 bb d6 c7 0d f5 17 1c ef b3 aa ca 92 87 41 bf c7 db 61 7b 79 5d 61 09 1d 5e 0f 5e 49 e2 1d fd 5b 31 f4 ea be 77 5c 3b 2b ac 5e 7f 0f 03 e0 52 dc a2 77 42 ef 37 7a 95 38 f0 47 0c 7b a5 8d 4f f7 79 08 b2 c6 2d ae f0 f5 9e 8d 07 2f b3 eb f2 f3 61 0b f8 99 e6 d6 72 5e 99 c0 e8 21 31 1e be 31 78 c5 c4 e7 28 7e f5 6b 1f 29 ea 17 c4 58 c7 37 ba f9 6e 69 61 7a f1 d9 1f f8 bc 38 2c ab fb 4b 58 e9 01 9f ba 83 ac ae ca 10 38 84 fe e3 8d fd 5e 91 af dc dd 38 e3 ef f0 ba ea 7f 3b 2d e0 29 0e 6f d8 f2 e2 ac b7 af de 33 be df e1 a2 69 2b 0e 7d a0 64 1b dc 10 dc e2 6d fc 8d e4 d7 1b bb 79 01 fd 47 3b 5d 02 2e 88 51 9f f9 b0 de 11 dc 87 89 e5 df aa f1 fb a1 3e f5 bd 97 a5 fd 2d 07 04 a8 db f3 f5 31 b7 7d 89 8f fb 2c 76 de 4e d1 cb f1 fa 94 3f ca a0 cd 0a e7 7e 0f 30 12 81 18 d5 ff b9 b7 e2 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 14 Jan 2025 09:25:22 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 41 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 3f 1a d5 25 2b 2b f3 cb cc 9a cc fa ed b7 df 1e ff 89 5b b0 2b 53 e5 07 41 95 c4 df 7e 7b 7c fe 33 00 ed 31 70 2d e7 db 6f 97 9f 89 5b 59 60 46 95 df bb c7 3a 6c 9e ee d8 2c ad dc b4 ba af 4e b9 7b 37 b0 9f bf 9e ee 2a b7 ab e0 9e c4 5f 06 76 60 15 a5 5b 3d d5 95 77 4f dd 7d 4a c7 b2 03 f7 be 5f 5f 64 f1 15 a1 34 bb b7 fb a1 4f 17 aa 85 e5 27 d6 3f b2 82 ef f2 b0 70 cb ab 25 c8 3b ea a9 95 b8 4f 77 4d e8 b6 79 56 54 57 d3 da d0 a9 82 27 c7 6d 42 db bd bf 7c 7c 19 84 69 58 85 56 7c 5f da 56 ec 3e a1 5f bf 93 aa c2 2a 76 bf 11 08 31 50 b2 6a 30 c9 ea d4 79 84 9f 3b 9f 45 59 56 a7 d8 1d f4 72 7b 11 97 5d 96 2f 7c f4 a2 de 67 ce 69 f0 f7 cb d4 fe b3 6f 1e 90 ce bd 67 25 61 7c 7a 18 d0 05 d8 f6 cb 40 74 e3 c6 ad 42 db fa 32 28 ad b4 bc 2f dd 22 f4 fe f2 e3 b2 32 3c bb 0f 03 94 c8 bb f7 83 71 98 ba f7 81 1b fa 41 05 86 bf 12 18 45 8e 50 02 1b bf 9f b5 b7 ec c8 2f fa 33 00 15 c5 59 f1 30 f8 67 ef d2 de 4f 7b 1d c3 26 38 86 23 ef c7 72 cb 71 c2 d4 7f 18 dc f4 27 56 e1 87 e9 bb ee ff fc ce 7e e9 da 55 98 a5 5f c0 d1 b3 ca 2d 6e e4 e1 84 65 1e 5b 40 16 fb 38 b3 a3 ff 83 ed be f6 f8 b3 80 44 6e 77 7a 66 f2 3e 76 3d 20 25 ab ae b2 f7 9b bd 0c 17 cf 52 fc 71 fc ed ec 03 14 b9 d6 c0 db 49 bf 02 44 e6 59 5a ba f7 61 ea 65 37 07 7d 95 2b 7b 69 6f 7b 5f 2d 2f 2b ab aa 4b a0 1d c7 bd 59 7c 41 cd b3 fa 49 04 f9 97 3f 5a 5d b8 56 99 a5 9f af c7 c8 eb f5 3d 24 3f 53 c1 15 67 17 99 da d5 e5 5c 5f be 6b 16 9c b7 df eb be 77 14 37 1b be 9e 16 b9 b4 0f f9 ed b1 d4 03 03 18 de 07 e2 ba 42 6b e1 e6 ae 05 74 06 dc c8 f3 cf 37 72 3d fb 57 33 5f 77 c5 c6 38 4d d0 ef a7 bd 8e 4d 2e ed 6d ec ea 94 b7 1c 59 9f 1c ea d7 49 dc 87 95 9b 94 37 64 be 23 09 03 38 fa c1 94 c2 f4 cd 94 c7 f8 27 40 bb d6 c7 0d f5 17 1c ef b3 aa ca 92 87 41 bf c7 db 61 7b 79 5d 61 09 1d 5e 0f 5e 49 e2 1d fd 5b 31 f4 ea be 77 5c 3b 2b ac 5e 7f 0f 03 e0 52 dc a2 77 42 ef 37 7a 95 38 f0 47 0c 7b a5 8d 4f f7 79 08 b2 c6 2d ae f0 f5 9e 8d 07 2f b3 eb f2 f3 61 0b f8 99 e6 d6 72 5e 99 c0 e8 21 31 1e be 31 78 c5 c4 e7 28 7e f5 6b 1f 29 ea 17 c4 58 c7 37 ba f9 6e 69 61 7a f1 d9 1f f8 bc 38 2c ab fb 4b 58 e9 01 9f ba 83 ac ae ca 10 38 84 fe e3 8d fd 5e 91 af dc dd 38 e3 ef f0 ba ea 7f 3b 2d e0 29 0e 6f d8 f2 e2 ac b7 af de 33 be df e1 a2 69 2b 0e 7d a0 64 1b dc 10 dc e2 6d fc 8d e4 d7 1b bb 79 01 fd 47 3b 5d 02 2e 88 51 9f f9 b0 de 11 dc 87 89 e5 df aa f1 fb a1 3e f5 bd 97 a5 fd 2d 07 04 a8 db f3 f5 31 b7 7d 89 8f fb 2c 76 de 4e d1 cb f1 fa 94 3f ca a0 cd 0a e7 7e 0f 30 12 81 18 d5 ff b9 b7 e2 f8 3d 81 5f 3a 15 08 ea 00 dc 03 20 2
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkedcontent-encoding: gzipvary: Accept-Encodingdate: Tue, 14 Jan 2025 09:25:25 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 31 33 35 42 0d 0a 1f 8b 08 00 00 00 00 00 00 03 cc 5a eb 92 e2 4a 72 fe 7f 9e 02 b7 c3 f6 6e 68 7a 74 07 d1 db 3d bb ba 21 09 90 90 04 02 84 c3 71 42 e8 8e ae e8 0e 1b 7e 20 bf 86 9f cc 25 ba 7b 9a 66 ba cf cc 3a fc c3 35 13 81 a4 aa ca ca ca fc 32 b3 3a b3 7e fb ed b7 c7 7f e2 16 ec ca 54 f9 41 50 25 f1 b7 df 1e 9f 7f 06 a0 3d 06 ae e5 7c fb ed f2 98 b8 95 05 46 54 f9 bd 7b ac c3 e6 e9 8e cd d2 ca 4d ab fb ea 94 bb 77 03 fb f9 ed e9 ae 72 bb 0a ee 49 fc 65 60 07 56 51 ba d5 53 5d 79 f7 d4 dd a7 74 2c 3b 70 ef fb f9 45 16 5f 11 4a b3 7b bb ef fa 74 a2 5a 58 7e 62 fd 23 33 f8 2e 0f 0b b7 bc 9a 82 bc a3 9e 5a 89 fb 74 d7 84 6e 9b 67 45 75 35 ac 0d 9d 2a 78 72 dc 26 b4 dd fb cb cb 97 41 98 86 55 68 c5 f7 a5 6d c5 ee 13 fa f5 3b a9 2a ac 62 f7 1b 81 10 03 25 ab 06 93 ac 4e 9d 47 f8 f9 e3 b3 28 cb ea 14 bb 83 5e 6e 2f e2 b2 cb f2 85 8f 5e d4 fb cc 39 0d fe 7e 19 da bf f6 cd 03 d2 b9 f7 ac 24 8c 4f 0f 03 ba 00 cb 7e 19 88 6e dc b8 55 68 5b 5f 06 a5 95 96 f7 a5 5b 84 de 5f 7e 9c 56 86 67 f7 61 80 12 79 f7 be 33 0e 53 f7 3e 70 43 3f a8 40 f7 57 02 a3 c8 11 4a 60 e3 f7 a3 f6 96 1d f9 45 bf 07 a0 a2 38 2b 1e 06 ff ec 5d da fb 61 af 7d d8 04 c7 70 e4 7d 5f 6e 39 4e 98 fa 0f 83 9b ef 89 55 f8 61 fa ee f3 7f 7e 67 bf 74 ed 2a cc d2 2f 60 eb 59 e5 16 37 f2 70 c2 32 8f 2d 20 8b 7d 9c d9 d1 ff c1 72 5f 7b fc 59 40 22 b7 2b 3d 33 79 1f bb 1e 90 92 55 57 d9 fb c5 5e ba 8b 67 29 fe d8 ff b6 f7 01 8a 5c 6b e0 6d a7 5f 01 22 f3 2c 2d dd fb 30 f5 b2 9b 8d be ca 95 bd b4 b7 b5 af a6 97 95 55 d5 25 d0 8e e3 de 4c be a0 e6 59 fd 24 82 fc cb 1f cd 2e 5c ab cc d2 cf e7 63 e4 f5 fc 1e 92 9f a9 e0 8a b3 8b 4c ed ea b2 af 2f df 35 0b f6 db af 75 df 3b 8a 9b 05 5f 77 8b 5c da 87 fc f6 58 ea 81 01 0c ef 03 71 5d a1 b5 70 73 d7 02 3a 03 6e e4 f9 f1 8d 5c cf fe d5 c8 d7 55 b1 31 4e 13 f4 fb 61 af 7d 93 4b 7b eb bb da e5 2d 47 d6 27 9b fa 75 12 f7 61 e5 26 e5 0d 99 ef 48 c2 00 8e 7e 30 a5 30 7d 33 e5 31 fe 09 d0 ae f5 71 43 fd 05 c7 fb ac aa b2 e4 61 d0 af f1 b6 d9 5e 5e 57 58 42 87 d7 9d 57 92 78 47 ff 56 0c bd ba ef 1d d7 ce 0a ab d7 df c3 00 b8 14 b7 e8 9d d0 fb 85 5e 25 0e fc 11 c3 5e 69 e3 d3 75 1e 82 ac 71 8b 2b 7c bd 67 e3 c1 cb ec ba fc bc db 02 7e a6 b9 b5 9c 57 26 30 7a 48 8c 87 6f 0c 5e 31 f1 39 8a 5f fd da 47 8a fa 05 31 d6 f1 8d 6e be 5b 5a 98 5e 7c f6 07 3e 2f 0e cb ea fe 12 56 7a c0 a7 ee 20 ab ab 32 04 0e a1 7f 79 63 bf 57 e4 2b 77 37 ce f8 3b bc ae be bf ed 16 f0 14 87 37 6c 79 71 d6 db 57 ef 19 df af 70 d1 b4 15 87 3e 50 b2 0d 4e 08 6e f1 d6 ff 46 f2 eb 8d dd bc 80 fe a3 95 2e 01 17 c4 a8 cf 7c 58 ef 08 ee c3 c4 f2 6f d5 f8 7d 53 9f fa de cb d4 fe 94 03 02 d4 ed fe fa 98 db be c4 c7 7d 16 3b 6f bb e8 e5 78 bd cb 1f 65 d0 66 85 73 bf 07 18 89 40 8c ea 7f ee ad 38 7e 4f e0 97 76 05 82 3a 00 f7 00 c
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not Foundkeep-alive: timeout=5, max=100content-type: text/htmltransfer-encoding: chunkeddate: Tue, 14 Jan 2025 09:25:27 GMTserver: LiteSpeedx-turbo-charged-by: LiteSpeedconnection: closeData Raw: 32 37 38 35 0d 0a 0a 0a 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 3e 0a 20 20 20 20 3c 68 65 61 64 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 74 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 74 66 2d 38 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 61 63 68 65 2d 63 6f 6e 74 72 6f 6c 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 50 72 61 67 6d 61 22 20 63 6f 6e 74 65 6e 74 3d 22 6e 6f 2d 63 61 63 68 65 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 45 78 70 69 72 65 73 22 20 63 6f 6e 74 65 6e 74 3d 22 30 22 3e 0a 20 20 20 20 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0a 20 20 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 20 20 3c 73 74 79 6c 65 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 3e 0a 20 20 20 20 20 20 20 20 62 6f 64 79 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 20 31 2e 34 32 38 35 37 31 34 32 39 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 66 66 66 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 63 6f 6c 6f 72 3a 20 23 32 46 33 32 33 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 73 65 63 74 69 6f 6e 2c 20 66 6f 6f 74 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 64 69 73 70 6c 61 79 3a 20 62 6c 6f 63 6b 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 3a 20 30 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 63 6f 6e 74 61 69 6e 65 72 20 7b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 6d 61 72 67 69 6e 2d 72 69 67 68 74 3a 20 61 75 74 6f 3b 0a 20 20 20 20 20 20 20 20 20 20 20 20 70 61 64 64 69 6e 67 3a 20 30 20 31 30 70 78 3b 0a 20 20 20 20 20 20 20 20 7d 0a 20 20 20 20 20 20 20 20 2e 72 65 73 70 6f 6e 73 65 2d 69 6e 66 6f 20 7b 0a 20 20 20
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:25:55 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:25:58 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:26:00 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 14 Jan 2025 09:26:03 GMTContent-Type: text/htmlContent-Length: 146Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:08 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Pt32mz4Hjf5wEYEo84%2FdHhvMrBqOd9qGOnyw2tkOof0KdwmNOSE8nVKByZycViJhT%2F82LZwvB6SZcNzltYxE6tBD0Icnv1pfWwHcmjNspDZy4qrksAN6UH9zvhU%2BsLUlWyoafdocWILSdJf"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c953158fa4309-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1683&min_rtt=1683&rtt_var=841&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=727&delivery_rate=0&cwnd=232&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhQRVzxcARiCQFR76qX%2FN8cdbofdEwLUmRg7fc8VBQCvK441%2FvI%2FOL79ouJLyUIrDU5HIIGn0YYpAXTkEnMgs2pjpNomBCORkK4g23UaxOE1CIFlSxWB1SNTS%2Fgr7pVmqolT9nxNaJtbbe3A"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c95414d2ede92-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1715&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:11 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhQRVzxcARiCQFR76qX%2FN8cdbofdEwLUmRg7fc8VBQCvK441%2FvI%2FOL79ouJLyUIrDU5HIIGn0YYpAXTkEnMgs2pjpNomBCORkK4g23UaxOE1CIFlSxWB1SNTS%2Fgr7pVmqolT9nxNaJtbbe3A"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c95414d2ede92-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1715&min_rtt=1715&rtt_var=857&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=747&delivery_rate=0&cwnd=239&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:13 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FbP2NoBQfclcAsHdBnv16qAEYZDiHZ188yjA%2BJczaFFo9aSzii9rYnhH2qSVZZfPYZSrjsIcgTNLb9oUkIzq%2B3%2BAC0RzvC7koCGhtCvF1t8Z2IYjInbVRQzJXHlSSuJVN%2FH9BJe8oGaz%2BKm%2F"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c955129674304-EWRContent-Encoding: gzipalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=1552&min_rtt=1552&rtt_var=776&sent=5&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10829&delivery_rate=0&cwnd=246&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 36 64 0d 0a 1f 8b 08 00 00 00 00 00 00 03 b3 c9 28 c9 cd b1 e3 e5 b2 c9 48 4d 4c b1 b3 29 c9 2c c9 49 b5 33 31 30 51 f0 cb 2f 51 70 cb 2f cd 4b b1 d1 87 08 da e8 83 95 f0 72 d9 24 e5 a7 54 82 e8 e4 d4 bc 92 d4 22 3b 9b 0c 43 74 1d 19 86 76 36 fa 50 69 90 d9 45 76 30 c5 79 e9 99 79 15 c8 72 fa 30 d3 f4 a1 2e 01 00 0b d9 61 33 92 00 00 00 0d 0a 30 0d 0a 0d 0a Data Ascii: 6d(HML),I310Q/Qp/Kr$T";Ctv6PiEv0yyr0.a30
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 14 Jan 2025 09:26:16 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closecf-cache-status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BzaA1sj8tH4vEN1ikzeHVNTgk3%2BFvNQpBorj0w%2Frdj2W7%2FKHomoVCySaB5gc9KlsJ8ilVVUNucfOwUT0vE7CQcRtnv25WQrLx3rwHQGrKeBkvI3x63jbORSdYv2e%2BAdyeIkMvQJlnEoUCs9E"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 901c95612cfd1a30-EWRalt-svc: h3=":443"; ma=86400server-timing: cfL4;desc="?proto=TCP&rtt=2024&min_rtt=2024&rtt_var=1012&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=448&delivery_rate=0&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>0
                Source: verclsid.exe, 00000003.00000002.3550509142.00000000060BC000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.0000000003D6C000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://cpanel.com/?utm_source=cpanelwhm&utm_medium=cplogo&utm_content=logolink&utm_campaign=404refer
                Source: verclsid.exe, 00000003.00000002.3550509142.0000000006A28000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.00000000046D8000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: http://quickcommerce.cloud/rdfj/?wz4=W22N1n9VK5BsDegKssi59d1tdmClQzQM6krhrjkO5qQUOhZ23fqPP0igRbfRb/L
                Source: zalkpCfMwtnpQo.exe, 00000007.00000002.3551901085.00000000057C6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xpremio.online
                Source: zalkpCfMwtnpQo.exe, 00000007.00000002.3551901085.00000000057C6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.xpremio.online/8vp1/
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3548335775.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033LMEM
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033Ia)a
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033C6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3548335775.00000000033A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: verclsid.exe, 00000003.00000003.2016552884.000000000805D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: verclsid.exe, 00000003.00000003.2022626569.000000000807D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004CEAFF
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_004CED6A
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_004CEAFF
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput,0_2_004BAA57
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004E9576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_004E9576

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000000.1691214055.0000000000512000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d220c422-a
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000000.1691214055.0000000000512000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_b0088d1d-f
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_26156bcc-0
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeString found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_cadccd65-7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042C613 NtClose,1_2_0042C613
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040A903 NtAllocateVirtualMemory,1_2_0040A903
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972B60 NtClose,LdrInitializeThunk,1_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039735C0 NtCreateMutant,LdrInitializeThunk,1_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03974340 NtSetContextThread,1_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03974650 NtSuspendThread,1_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972B80 NtQueryInformationFile,1_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BA0 NtEnumerateValueKey,1_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BF0 NtAllocateVirtualMemory,1_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972BE0 NtQueryValueKey,1_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AB0 NtWaitForSingleObject,1_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AD0 NtReadFile,1_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972AF0 NtWriteFile,1_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F90 NtProtectVirtualMemory,1_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FB0 NtResumeThread,1_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FA0 NtQuerySection,1_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972FE0 NtCreateFile,1_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F30 NtCreateSection,1_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972F60 NtCreateProcessEx,1_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972E80 NtReadVirtualMemory,1_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972EA0 NtAdjustPrivilegesToken,1_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972EE0 NtQueueApcThread,1_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972E30 NtWriteVirtualMemory,1_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DB0 NtEnumerateKey,1_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972DD0 NtDelayExecution,1_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D10 NtMapViewOfSection,1_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D00 NtSetInformationFile,1_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972D30 NtUnmapViewOfSection,1_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CA0 NtQueryInformationToken,1_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CC0 NtQueryVirtualMemory,1_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972CF0 NtOpenProcess,1_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C00 NtQueryInformationProcess,1_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972C60 NtCreateKey,1_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973090 NtSetValueKey,1_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973010 NtOpenDirectoryObject,1_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039739B0 NtGetContextThread,1_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973D10 NtOpenProcessToken,1_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03973D70 NtOpenThread,1_2_03973D70
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D4650 NtSuspendThread,LdrInitializeThunk,3_2_050D4650
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D4340 NtSetContextThread,LdrInitializeThunk,3_2_050D4340
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2D10 NtMapViewOfSection,LdrInitializeThunk,3_2_050D2D10
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_050D2D30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2DD0 NtDelayExecution,LdrInitializeThunk,3_2_050D2DD0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_050D2DF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2C60 NtCreateKey,LdrInitializeThunk,3_2_050D2C60
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_050D2C70
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_050D2CA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2F30 NtCreateSection,LdrInitializeThunk,3_2_050D2F30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2FB0 NtResumeThread,LdrInitializeThunk,3_2_050D2FB0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2FE0 NtCreateFile,LdrInitializeThunk,3_2_050D2FE0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_050D2E80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2EE0 NtQueueApcThread,LdrInitializeThunk,3_2_050D2EE0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2B60 NtClose,LdrInitializeThunk,3_2_050D2B60
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_050D2BA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2BE0 NtQueryValueKey,LdrInitializeThunk,3_2_050D2BE0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_050D2BF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2AD0 NtReadFile,LdrInitializeThunk,3_2_050D2AD0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2AF0 NtWriteFile,LdrInitializeThunk,3_2_050D2AF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D35C0 NtCreateMutant,LdrInitializeThunk,3_2_050D35C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D39B0 NtGetContextThread,LdrInitializeThunk,3_2_050D39B0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2D00 NtSetInformationFile,3_2_050D2D00
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2DB0 NtEnumerateKey,3_2_050D2DB0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2C00 NtQueryInformationProcess,3_2_050D2C00
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2CC0 NtQueryVirtualMemory,3_2_050D2CC0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2CF0 NtOpenProcess,3_2_050D2CF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2F60 NtCreateProcessEx,3_2_050D2F60
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2F90 NtProtectVirtualMemory,3_2_050D2F90
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2FA0 NtQuerySection,3_2_050D2FA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2E30 NtWriteVirtualMemory,3_2_050D2E30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2EA0 NtAdjustPrivilegesToken,3_2_050D2EA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2B80 NtQueryInformationFile,3_2_050D2B80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D2AB0 NtWaitForSingleObject,3_2_050D2AB0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D3010 NtOpenDirectoryObject,3_2_050D3010
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D3090 NtSetValueKey,3_2_050D3090
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D3D10 NtOpenProcessToken,3_2_050D3D10
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D3D70 NtOpenThread,3_2_050D3D70
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030493D0 NtDeleteFile,3_2_030493D0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030492E0 NtReadFile,3_2_030492E0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_03049170 NtCreateFile,3_2_03049170
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030495D0 NtAllocateVirtualMemory,3_2_030495D0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_03049470 NtClose,3_2_03049470
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD5EB: CreateFileW,DeviceIoControl,CloseHandle,0_2_004BD5EB
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004B1201
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_004BE8F6
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C20460_2_004C2046
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004580600_2_00458060
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B82980_2_004B8298
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0048E4FF0_2_0048E4FF
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0048676B0_2_0048676B
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004E48730_2_004E4873
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0045CAF00_2_0045CAF0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0047CAA00_2_0047CAA0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0046CC390_2_0046CC39
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00486DD90_2_00486DD9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0046B1190_2_0046B119
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004591C00_2_004591C0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004713940_2_00471394
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004717060_2_00471706
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0047781B0_2_0047781B
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0046997D0_2_0046997D
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004579200_2_00457920
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004719B00_2_004719B0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00477A4A0_2_00477A4A
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00471C770_2_00471C77
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00477CA70_2_00477CA7
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004DBE440_2_004DBE44
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00489EEE0_2_00489EEE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0045BF400_2_0045BF40
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00471F320_2_00471F32
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_01573B500_2_01573B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004185B31_2_004185B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004100931_2_00410093
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E10B1_2_0040E10B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E1131_2_0040E113
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004022501_2_00402250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012101_2_00401210
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004023F01_2_004023F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042EC231_2_0042EC23
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE6A1_2_0040FE6A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026701_2_00402670
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FE731_2_0040FE73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00402F201_2_00402F20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167DE1_2_004167DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004167E31_2_004167E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A003E61_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F01_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA3521_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C02C01_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E02741_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A001AA1_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F41A21_2_039F41A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F81CC1_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA1181_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039301001_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C81581_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D20001_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393C7C01_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039647501_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039407701_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395C6E01_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A005911_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039405351_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EE4F61_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E44201_2_039E4420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F24461_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F6BD71_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FAB401_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA801_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0A9A61_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A01_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039569621_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039268B81_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E8F01_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394A8401_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039428401_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BEFA01_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932FC81_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960F301_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E2F301_2_039E2F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03982F281_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4F401_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952E901_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FCE931_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FEEDB1_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393AE0D1_2_0393AE0D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FEE261_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940E591_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03958DBF1_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DCD1F1_2_039DCD1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394AD001_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0CB51_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930CF21_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940C001_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0398739A1_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F132D1_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392D34C1_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039452A01_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395B2C01_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395D2F01_2_0395D2F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E12ED1_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394B1B01_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0B16B1_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392F1721_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397516C1_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EF0CC1_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039470C01_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F70E91_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF0E01_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF7B01_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F16CC1_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039856301_2_03985630
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DD5B01_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A095C31_2_03A095C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F75711_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FF43F1_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039314601_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FB801_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B5BF01_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397DBF91_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFB761_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DDAAC1_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03985AA01_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E1AA31_2_039E1AA3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EDAC61_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFA491_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F7A461_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B3A6C1_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D59101_2_039D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039499501_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395B9501_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039438E01_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AD8001_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03941F921_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFFB11_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03903FD21_2_03903FD2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03903FD51_2_03903FD5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFF091_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03949EB01_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395FDC01_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F1D5A1_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03943D401_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F7D731_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FFCF21_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B9C321_2_039B9C32
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A05353_2_050A0535
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051605913_2_05160591
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051444203_2_05144420
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051524463_2_05152446
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0514E4F63_2_0514E4F6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050C47503_2_050C4750
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A07703_2_050A0770
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0509C7C03_2_0509C7C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BC6E03_2_050BC6E0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050901003_2_05090100
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0513A1183_2_0513A118
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051281583_2_05128158
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051541A23_2_051541A2
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051601AA3_2_051601AA
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051581CC3_2_051581CC
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051320003_2_05132000
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515A3523_2_0515A352
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051603E63_2_051603E6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050AE3F03_2_050AE3F0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051402743_2_05140274
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051202C03_2_051202C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050AAD003_2_050AAD00
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0513CD1F3_2_0513CD1F
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050B8DBF3_2_050B8DBF
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0509ADE03_2_0509ADE0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A0C003_2_050A0C00
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05140CB53_2_05140CB5
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05090CF23_2_05090CF2
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05142F303_2_05142F30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050E2F283_2_050E2F28
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050C0F303_2_050C0F30
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05114F403_2_05114F40
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0511EFA03_2_0511EFA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05092FC83_2_05092FC8
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515EE263_2_0515EE26
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A0E593_2_050A0E59
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515CE933_2_0515CE93
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050B2E903_2_050B2E90
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515EEDB3_2_0515EEDB
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050B69623_2_050B6962
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A29A03_2_050A29A0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0516A9A63_2_0516A9A6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A28403_2_050A2840
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050AA8403_2_050AA840
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050868B83_2_050868B8
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050CE8F03_2_050CE8F0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515AB403_2_0515AB40
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05156BD73_2_05156BD7
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0509EA803_2_0509EA80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051575713_2_05157571
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0513D5B03_2_0513D5B0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051695C33_2_051695C3
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515F43F3_2_0515F43F
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050914603_2_05091460
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515F7B03_2_0515F7B0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050E56303_2_050E5630
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051516CC3_2_051516CC
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050D516C3_2_050D516C
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0508F1723_2_0508F172
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0516B16B3_2_0516B16B
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050AB1B03_2_050AB1B0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A70C03_2_050A70C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0514F0CC3_2_0514F0CC
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515F0E03_2_0515F0E0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051570E93_2_051570E9
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515132D3_2_0515132D
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0508D34C3_2_0508D34C
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050E739A3_2_050E739A
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A52A03_2_050A52A0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BB2C03_2_050BB2C0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051412ED3_2_051412ED
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BD2F03_2_050BD2F0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A3D403_2_050A3D40
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05151D5A3_2_05151D5A
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05157D733_2_05157D73
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BFDC03_2_050BFDC0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05119C323_2_05119C32
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FCF23_2_0515FCF2
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FF093_2_0515FF09
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A1F923_2_050A1F92
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FFB13_2_0515FFB1
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05063FD53_2_05063FD5
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05063FD23_2_05063FD2
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A9EB03_2_050A9EB0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_051359103_2_05135910
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A99503_2_050A9950
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BB9503_2_050BB950
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0510D8003_2_0510D800
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050A38E03_2_050A38E0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FB763_2_0515FB76
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050BFB803_2_050BFB80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05115BF03_2_05115BF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050DDBF93_2_050DDBF9
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05157A463_2_05157A46
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0515FA493_2_0515FA49
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05113A6C3_2_05113A6C
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050E5AA03_2_050E5AA0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05141AA33_2_05141AA3
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0513DAAC3_2_0513DAAC
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0514DAC63_2_0514DAC6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_03031D903_2_03031D90
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302AF683_2_0302AF68
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302AF703_2_0302AF70
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302CEF03_2_0302CEF0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302CCC73_2_0302CCC7
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302CCD03_2_0302CCD0
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0303363B3_2_0303363B
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030336403_2_03033640
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030354103_2_03035410
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0304BA803_2_0304BA80
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0E6ED3_2_04E0E6ED
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0D7B83_2_04E0D7B8
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0E2383_2_04E0E238
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0E3533_2_04E0E353
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0CA783_2_04E0CA78
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_04E0CA3D3_2_04E0CA3D
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: String function: 00470A30 appears 46 times
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: String function: 0046F9F2 appears 31 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 262 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 58 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 103 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 107 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 050E7E54 appears 107 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 0508B970 appears 262 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 0511F290 appears 103 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 0510EA12 appears 86 times
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: String function: 050D5130 appears 58 times
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699819205.0000000003CF3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scanned-IMGS_from NomanGroup IDT.scr.exe
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1702493783.000000000420D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Scanned-IMGS_from NomanGroup IDT.scr.exe
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/2@14/9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C37B5 GetLastError,FormatMessageW,0_2_004C37B5
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B10BF AdjustTokenPrivileges,CloseHandle,0_2_004B10BF
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_004B16C3
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_004C51CD
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004DA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,0_2_004DA67C
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize,0_2_004C648E
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_004542A2
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeFile created: C:\Users\user\AppData\Local\Temp\peaksJump to behavior
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: verclsid.exe, 00000003.00000002.3548335775.00000000033E3000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3548335775.0000000003405000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.2017590770.0000000003405000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeVirustotal: Detection: 36%
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeReversingLabs: Detection: 44%
                Source: unknownProcess created: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeProcess created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"
                Source: C:\Windows\SysWOW64\verclsid.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeProcess created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic file information: File size 1613824 > 1048576
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: zalkpCfMwtnpQo.exe, 00000002.00000002.3547860890.000000000013E000.00000002.00000001.01000000.00000004.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3547855130.000000000013E000.00000002.00000001.01000000.00000004.sdmp
                Source: Binary string: wntdll.pdbUGP source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699361176.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1701122516.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1729825920.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731375904.0000000003700000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1838981604.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.0000000005060000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1836979825.0000000004D01000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1699361176.0000000003BD0000.00000004.00001000.00020000.00000000.sdmp, Scanned-IMGS_from NomanGroup IDT.scr.exe, 00000000.00000003.1701122516.00000000040E0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000003.1729825920.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829963241.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1731375904.0000000003700000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, verclsid.exe, 00000003.00000003.1838981604.0000000004EB6000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.0000000005060000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3549867531.00000000051FE000.00000040.00001000.00020000.00000000.sdmp, verclsid.exe, 00000003.00000003.1836979825.0000000004D01000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: verclsid.pdbGCTL source: svchost.exe, 00000001.00000003.1798236689.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829844647.0000000003200000.00000004.00000020.00020000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000002.3548785048.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3550509142.000000000568C000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.000000000333C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2126594180.000000000FEAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: verclsid.pdb source: svchost.exe, 00000001.00000003.1798236689.000000000321A000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1829844647.0000000003200000.00000004.00000020.00020000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000002.3548785048.0000000000E48000.00000004.00000020.00020000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, verclsid.exe, 00000003.00000002.3550509142.000000000568C000.00000004.10000000.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000002.3549816270.000000000333C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2126594180.000000000FEAC000.00000004.80000000.00040000.00000000.sdmp
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004542DE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00470A76 push ecx; ret 0_2_00470A89
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E80C push edx; iretw 1_2_0041E831
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418036 push edx; retf 1_2_0041803B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D0FD push edx; retf 1_2_0040D121
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E898 push edx; iretw 1_2_0041E831
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00411953 push FFFFFFCFh; iretd 1_2_00411974
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004031A0 push eax; ret 1_2_004031A2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418215 push esp; iretd 1_2_00418217
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040C32C push eax; iretd 1_2_0040C32E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413B38 push ebp; retf 1_2_00413B4E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D3EA push ebp; ret 1_2_0040D3EC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00413BF6 push cs; iretd 1_2_00413BF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00401DE2 push eax; retf 1_2_00401DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A6D5 push eax; retf 1_2_0041A6DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404EBD push edi; ret 1_2_00404EF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00404F00 push edi; ret 1_2_00404EF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004177C5 pushfd ; retn F88Bh1_2_004177C2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040D7EB push es; iretd 1_2_0040D7F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390225F pushad ; ret 1_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039027FA pushad ; ret 1_2_039027F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD push ecx; mov dword ptr [esp], ecx1_2_039309B6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390283D push eax; iretd 1_2_03902858
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03901368 push eax; iretd 1_2_03901369
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050627FA pushad ; ret 3_2_050627F9
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0506225F pushad ; ret 3_2_050627F9
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_050909AD push ecx; mov dword ptr [esp], ecx3_2_050909B6
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0506283D push eax; iretd 3_2_05062858
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_05061368 push eax; iretd 3_2_05061369
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0302E7B0 push FFFFFFCFh; iretd 3_2_0302E7D1
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_03034622 pushfd ; retn F88Bh3_2_0303461F
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_030325CE push ds; retf 3_2_030325D9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0046F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0046F98E
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004E1C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_004E1C41
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Found API chain indicative of sandbox detection
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSandbox detection routine: GetForegroundWindow, DecisionNode, Sleepgraph_0-95967
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeAPI/Special instruction interceptor: Address: 1573774
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                Source: C:\Windows\SysWOW64\verclsid.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416628 rdtsc 1_2_00416628
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeAPI coverage: 3.6 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\verclsid.exeAPI coverage: 2.6 %
                Source: C:\Windows\SysWOW64\verclsid.exe TID: 7724Thread sleep count: 48 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exe TID: 7724Thread sleep time: -96000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe TID: 7904Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe TID: 7904Thread sleep count: 34 > 30Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe TID: 7904Thread sleep time: -34000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe TID: 7904Thread sleep time: -39000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\verclsid.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C68EE FindFirstFileW,FindClose,0_2_004C68EE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime,0_2_004C698F
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004BD076
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,0_2_004BD3A9
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C9642
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_004C979D
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose,0_2_004C9B2B
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose,0_2_004BDBBE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C5C97 FindFirstFileW,FindNextFileW,FindClose,0_2_004C5C97
                Source: C:\Windows\SysWOW64\verclsid.exeCode function: 3_2_0303C650 FindFirstFileW,FindNextFileW,FindClose,3_2_0303C650
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004542DE
                Source: zalkpCfMwtnpQo.exe, 00000007.00000002.3548850540.000000000149F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll0
                Source: verclsid.exe, 00000003.00000002.3548335775.0000000003385000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000008.00000002.2127771986.000001110FEAC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00416628 rdtsc 1_2_00416628
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417733 LdrLoadDll,1_2_00417733
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004CEAA2 BlockInput,0_2_004CEAA2
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00482622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00482622
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004542DE
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00474CE8 mov eax, dword ptr fs:[00000030h]0_2_00474CE8
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_015723D0 mov eax, dword ptr fs:[00000030h]0_2_015723D0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_015739E0 mov eax, dword ptr fs:[00000030h]0_2_015739E0
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_01573A40 mov eax, dword ptr fs:[00000030h]0_2_01573A40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928397 mov eax, dword ptr fs:[00000030h]1_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E388 mov eax, dword ptr fs:[00000030h]1_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395438F mov eax, dword ptr fs:[00000030h]1_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395438F mov eax, dword ptr fs:[00000030h]1_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov ecx, dword ptr fs:[00000030h]1_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE3DB mov eax, dword ptr fs:[00000030h]1_2_039DE3DB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D43D4 mov eax, dword ptr fs:[00000030h]1_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D43D4 mov eax, dword ptr fs:[00000030h]1_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC3CD mov eax, dword ptr fs:[00000030h]1_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A3C0 mov eax, dword ptr fs:[00000030h]1_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039383C0 mov eax, dword ptr fs:[00000030h]1_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B63C0 mov eax, dword ptr fs:[00000030h]1_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E3F0 mov eax, dword ptr fs:[00000030h]1_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039663FF mov eax, dword ptr fs:[00000030h]1_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039403E9 mov eax, dword ptr fs:[00000030h]1_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C310 mov ecx, dword ptr fs:[00000030h]1_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A08324 mov eax, dword ptr fs:[00000030h]1_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A08324 mov ecx, dword ptr fs:[00000030h]1_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A08324 mov eax, dword ptr fs:[00000030h]1_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A08324 mov eax, dword ptr fs:[00000030h]1_2_03A08324
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950310 mov ecx, dword ptr fs:[00000030h]1_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A30B mov eax, dword ptr fs:[00000030h]1_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov ecx, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B035C mov eax, dword ptr fs:[00000030h]1_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA352 mov eax, dword ptr fs:[00000030h]1_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D8350 mov ecx, dword ptr fs:[00000030h]1_2_039D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B2349 mov eax, dword ptr fs:[00000030h]1_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D437C mov eax, dword ptr fs:[00000030h]1_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0634F mov eax, dword ptr fs:[00000030h]1_2_03A0634F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E284 mov eax, dword ptr fs:[00000030h]1_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E284 mov eax, dword ptr fs:[00000030h]1_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0283 mov eax, dword ptr fs:[00000030h]1_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402A0 mov eax, dword ptr fs:[00000030h]1_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402A0 mov eax, dword ptr fs:[00000030h]1_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov ecx, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C62A0 mov eax, dword ptr fs:[00000030h]1_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A2C3 mov eax, dword ptr fs:[00000030h]1_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039402E1 mov eax, dword ptr fs:[00000030h]1_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A062D6 mov eax, dword ptr fs:[00000030h]1_2_03A062D6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392823B mov eax, dword ptr fs:[00000030h]1_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A250 mov eax, dword ptr fs:[00000030h]1_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936259 mov eax, dword ptr fs:[00000030h]1_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA250 mov eax, dword ptr fs:[00000030h]1_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA250 mov eax, dword ptr fs:[00000030h]1_2_039EA250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B8243 mov eax, dword ptr fs:[00000030h]1_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B8243 mov ecx, dword ptr fs:[00000030h]1_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E0274 mov eax, dword ptr fs:[00000030h]1_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934260 mov eax, dword ptr fs:[00000030h]1_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392826B mov eax, dword ptr fs:[00000030h]1_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A0625D mov eax, dword ptr fs:[00000030h]1_2_03A0625D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B019F mov eax, dword ptr fs:[00000030h]1_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A197 mov eax, dword ptr fs:[00000030h]1_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03970185 mov eax, dword ptr fs:[00000030h]1_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC188 mov eax, dword ptr fs:[00000030h]1_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EC188 mov eax, dword ptr fs:[00000030h]1_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4180 mov eax, dword ptr fs:[00000030h]1_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4180 mov eax, dword ptr fs:[00000030h]1_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A061E5 mov eax, dword ptr fs:[00000030h]1_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE1D0 mov eax, dword ptr fs:[00000030h]1_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F61C3 mov eax, dword ptr fs:[00000030h]1_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F61C3 mov eax, dword ptr fs:[00000030h]1_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039601F8 mov eax, dword ptr fs:[00000030h]1_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov ecx, dword ptr fs:[00000030h]1_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DA118 mov eax, dword ptr fs:[00000030h]1_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F0115 mov eax, dword ptr fs:[00000030h]1_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov eax, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DE10E mov ecx, dword ptr fs:[00000030h]1_2_039DE10E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960124 mov eax, dword ptr fs:[00000030h]1_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C156 mov eax, dword ptr fs:[00000030h]1_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C8158 mov eax, dword ptr fs:[00000030h]1_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04164 mov eax, dword ptr fs:[00000030h]1_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04164 mov eax, dword ptr fs:[00000030h]1_2_03A04164
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936154 mov eax, dword ptr fs:[00000030h]1_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936154 mov eax, dword ptr fs:[00000030h]1_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov ecx, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C4144 mov eax, dword ptr fs:[00000030h]1_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393208A mov eax, dword ptr fs:[00000030h]1_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F60B8 mov eax, dword ptr fs:[00000030h]1_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F60B8 mov ecx, dword ptr fs:[00000030h]1_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039280A0 mov eax, dword ptr fs:[00000030h]1_2_039280A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C80A8 mov eax, dword ptr fs:[00000030h]1_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B20DE mov eax, dword ptr fs:[00000030h]1_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C0F0 mov eax, dword ptr fs:[00000030h]1_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039720F0 mov ecx, dword ptr fs:[00000030h]1_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039380E9 mov eax, dword ptr fs:[00000030h]1_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B60E0 mov eax, dword ptr fs:[00000030h]1_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E016 mov eax, dword ptr fs:[00000030h]1_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4000 mov ecx, dword ptr fs:[00000030h]1_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D2000 mov eax, dword ptr fs:[00000030h]1_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6030 mov eax, dword ptr fs:[00000030h]1_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392A020 mov eax, dword ptr fs:[00000030h]1_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C020 mov eax, dword ptr fs:[00000030h]1_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932050 mov eax, dword ptr fs:[00000030h]1_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6050 mov eax, dword ptr fs:[00000030h]1_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395C073 mov eax, dword ptr fs:[00000030h]1_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D678E mov eax, dword ptr fs:[00000030h]1_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039307AF mov eax, dword ptr fs:[00000030h]1_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E47A0 mov eax, dword ptr fs:[00000030h]1_2_039E47A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393C7C0 mov eax, dword ptr fs:[00000030h]1_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B07C3 mov eax, dword ptr fs:[00000030h]1_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039347FB mov eax, dword ptr fs:[00000030h]1_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039347FB mov eax, dword ptr fs:[00000030h]1_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039527ED mov eax, dword ptr fs:[00000030h]1_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE7E1 mov eax, dword ptr fs:[00000030h]1_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930710 mov eax, dword ptr fs:[00000030h]1_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03960710 mov eax, dword ptr fs:[00000030h]1_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C700 mov eax, dword ptr fs:[00000030h]1_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov eax, dword ptr fs:[00000030h]1_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov ecx, dword ptr fs:[00000030h]1_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396273C mov eax, dword ptr fs:[00000030h]1_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AC730 mov eax, dword ptr fs:[00000030h]1_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C720 mov eax, dword ptr fs:[00000030h]1_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C720 mov eax, dword ptr fs:[00000030h]1_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930750 mov eax, dword ptr fs:[00000030h]1_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE75D mov eax, dword ptr fs:[00000030h]1_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972750 mov eax, dword ptr fs:[00000030h]1_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972750 mov eax, dword ptr fs:[00000030h]1_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B4755 mov eax, dword ptr fs:[00000030h]1_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov esi, dword ptr fs:[00000030h]1_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov eax, dword ptr fs:[00000030h]1_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396674D mov eax, dword ptr fs:[00000030h]1_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938770 mov eax, dword ptr fs:[00000030h]1_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940770 mov eax, dword ptr fs:[00000030h]1_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934690 mov eax, dword ptr fs:[00000030h]1_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03934690 mov eax, dword ptr fs:[00000030h]1_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039666B0 mov eax, dword ptr fs:[00000030h]1_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C6A6 mov eax, dword ptr fs:[00000030h]1_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A6C7 mov eax, dword ptr fs:[00000030h]1_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE6F2 mov eax, dword ptr fs:[00000030h]1_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B06F1 mov eax, dword ptr fs:[00000030h]1_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B06F1 mov eax, dword ptr fs:[00000030h]1_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03972619 mov eax, dword ptr fs:[00000030h]1_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE609 mov eax, dword ptr fs:[00000030h]1_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394260B mov eax, dword ptr fs:[00000030h]1_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394E627 mov eax, dword ptr fs:[00000030h]1_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03966620 mov eax, dword ptr fs:[00000030h]1_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968620 mov eax, dword ptr fs:[00000030h]1_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393262C mov eax, dword ptr fs:[00000030h]1_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0394C640 mov eax, dword ptr fs:[00000030h]1_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03962674 mov eax, dword ptr fs:[00000030h]1_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F866E mov eax, dword ptr fs:[00000030h]1_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F866E mov eax, dword ptr fs:[00000030h]1_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A660 mov eax, dword ptr fs:[00000030h]1_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A660 mov eax, dword ptr fs:[00000030h]1_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E59C mov eax, dword ptr fs:[00000030h]1_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932582 mov eax, dword ptr fs:[00000030h]1_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03932582 mov ecx, dword ptr fs:[00000030h]1_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964588 mov eax, dword ptr fs:[00000030h]1_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039545B1 mov eax, dword ptr fs:[00000030h]1_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039545B1 mov eax, dword ptr fs:[00000030h]1_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B05A7 mov eax, dword ptr fs:[00000030h]1_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039365D0 mov eax, dword ptr fs:[00000030h]1_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A5D0 mov eax, dword ptr fs:[00000030h]1_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396A5D0 mov eax, dword ptr fs:[00000030h]1_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E5CF mov eax, dword ptr fs:[00000030h]1_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E5CF mov eax, dword ptr fs:[00000030h]1_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E5E7 mov eax, dword ptr fs:[00000030h]1_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039325E0 mov eax, dword ptr fs:[00000030h]1_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C5ED mov eax, dword ptr fs:[00000030h]1_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C5ED mov eax, dword ptr fs:[00000030h]1_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6500 mov eax, dword ptr fs:[00000030h]1_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04500 mov eax, dword ptr fs:[00000030h]1_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940535 mov eax, dword ptr fs:[00000030h]1_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E53E mov eax, dword ptr fs:[00000030h]1_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938550 mov eax, dword ptr fs:[00000030h]1_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938550 mov eax, dword ptr fs:[00000030h]1_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396656A mov eax, dword ptr fs:[00000030h]1_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA49A mov eax, dword ptr fs:[00000030h]1_2_039EA49A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039644B0 mov ecx, dword ptr fs:[00000030h]1_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BA4B0 mov eax, dword ptr fs:[00000030h]1_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039364AB mov eax, dword ptr fs:[00000030h]1_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039304E5 mov ecx, dword ptr fs:[00000030h]1_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968402 mov eax, dword ptr fs:[00000030h]1_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392E420 mov eax, dword ptr fs:[00000030h]1_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392C427 mov eax, dword ptr fs:[00000030h]1_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B6420 mov eax, dword ptr fs:[00000030h]1_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039EA456 mov eax, dword ptr fs:[00000030h]1_2_039EA456
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392645D mov eax, dword ptr fs:[00000030h]1_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395245A mov eax, dword ptr fs:[00000030h]1_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396E443 mov eax, dword ptr fs:[00000030h]1_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395A470 mov eax, dword ptr fs:[00000030h]1_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC460 mov ecx, dword ptr fs:[00000030h]1_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940BBE mov eax, dword ptr fs:[00000030h]1_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940BBE mov eax, dword ptr fs:[00000030h]1_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4BB0 mov eax, dword ptr fs:[00000030h]1_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4BB0 mov eax, dword ptr fs:[00000030h]1_2_039E4BB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEBD0 mov eax, dword ptr fs:[00000030h]1_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03950BCB mov eax, dword ptr fs:[00000030h]1_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930BCD mov eax, dword ptr fs:[00000030h]1_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938BF0 mov eax, dword ptr fs:[00000030h]1_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EBFC mov eax, dword ptr fs:[00000030h]1_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BCBF0 mov eax, dword ptr fs:[00000030h]1_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AEB1D mov eax, dword ptr fs:[00000030h]1_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04B00 mov eax, dword ptr fs:[00000030h]1_2_03A04B00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EB20 mov eax, dword ptr fs:[00000030h]1_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EB20 mov eax, dword ptr fs:[00000030h]1_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8B28 mov eax, dword ptr fs:[00000030h]1_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039F8B28 mov eax, dword ptr fs:[00000030h]1_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928B50 mov eax, dword ptr fs:[00000030h]1_2_03928B50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEB50 mov eax, dword ptr fs:[00000030h]1_2_039DEB50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4B4B mov eax, dword ptr fs:[00000030h]1_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039E4B4B mov eax, dword ptr fs:[00000030h]1_2_039E4B4B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6B40 mov eax, dword ptr fs:[00000030h]1_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C6B40 mov eax, dword ptr fs:[00000030h]1_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FAB40 mov eax, dword ptr fs:[00000030h]1_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D8B42 mov eax, dword ptr fs:[00000030h]1_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0392CB7E mov eax, dword ptr fs:[00000030h]1_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A02B57 mov eax, dword ptr fs:[00000030h]1_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A02B57 mov eax, dword ptr fs:[00000030h]1_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A02B57 mov eax, dword ptr fs:[00000030h]1_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A02B57 mov eax, dword ptr fs:[00000030h]1_2_03A02B57
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03968A90 mov edx, dword ptr fs:[00000030h]1_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393EA80 mov eax, dword ptr fs:[00000030h]1_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04A80 mov eax, dword ptr fs:[00000030h]1_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938AA0 mov eax, dword ptr fs:[00000030h]1_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03938AA0 mov eax, dword ptr fs:[00000030h]1_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986AA4 mov eax, dword ptr fs:[00000030h]1_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930AD0 mov eax, dword ptr fs:[00000030h]1_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964AD0 mov eax, dword ptr fs:[00000030h]1_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03964AD0 mov eax, dword ptr fs:[00000030h]1_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03986ACC mov eax, dword ptr fs:[00000030h]1_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396AAEE mov eax, dword ptr fs:[00000030h]1_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396AAEE mov eax, dword ptr fs:[00000030h]1_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BCA11 mov eax, dword ptr fs:[00000030h]1_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954A35 mov eax, dword ptr fs:[00000030h]1_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03954A35 mov eax, dword ptr fs:[00000030h]1_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA24 mov eax, dword ptr fs:[00000030h]1_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395EA2E mov eax, dword ptr fs:[00000030h]1_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03936A50 mov eax, dword ptr fs:[00000030h]1_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940A5B mov eax, dword ptr fs:[00000030h]1_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03940A5B mov eax, dword ptr fs:[00000030h]1_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ACA72 mov eax, dword ptr fs:[00000030h]1_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039ACA72 mov eax, dword ptr fs:[00000030h]1_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396CA6F mov eax, dword ptr fs:[00000030h]1_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039DEA60 mov eax, dword ptr fs:[00000030h]1_2_039DEA60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov esi, dword ptr fs:[00000030h]1_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov eax, dword ptr fs:[00000030h]1_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B89B3 mov eax, dword ptr fs:[00000030h]1_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039429A0 mov eax, dword ptr fs:[00000030h]1_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD mov eax, dword ptr fs:[00000030h]1_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039309AD mov eax, dword ptr fs:[00000030h]1_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0393A9D0 mov eax, dword ptr fs:[00000030h]1_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039649D0 mov eax, dword ptr fs:[00000030h]1_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA9D3 mov eax, dword ptr fs:[00000030h]1_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C69C0 mov eax, dword ptr fs:[00000030h]1_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039629F9 mov eax, dword ptr fs:[00000030h]1_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039629F9 mov eax, dword ptr fs:[00000030h]1_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BE9E0 mov eax, dword ptr fs:[00000030h]1_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC912 mov eax, dword ptr fs:[00000030h]1_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928918 mov eax, dword ptr fs:[00000030h]1_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03928918 mov eax, dword ptr fs:[00000030h]1_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE908 mov eax, dword ptr fs:[00000030h]1_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039AE908 mov eax, dword ptr fs:[00000030h]1_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B892A mov eax, dword ptr fs:[00000030h]1_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039C892B mov eax, dword ptr fs:[00000030h]1_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039B0946 mov eax, dword ptr fs:[00000030h]1_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A04940 mov eax, dword ptr fs:[00000030h]1_2_03A04940
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4978 mov eax, dword ptr fs:[00000030h]1_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039D4978 mov eax, dword ptr fs:[00000030h]1_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC97C mov eax, dword ptr fs:[00000030h]1_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03956962 mov eax, dword ptr fs:[00000030h]1_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov eax, dword ptr fs:[00000030h]1_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov edx, dword ptr fs:[00000030h]1_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0397096E mov eax, dword ptr fs:[00000030h]1_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC89D mov eax, dword ptr fs:[00000030h]1_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03930887 mov eax, dword ptr fs:[00000030h]1_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0395E8C0 mov eax, dword ptr fs:[00000030h]1_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03A008C0 mov eax, dword ptr fs:[00000030h]1_2_03A008C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C8F9 mov eax, dword ptr fs:[00000030h]1_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0396C8F9 mov eax, dword ptr fs:[00000030h]1_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039FA8E4 mov eax, dword ptr fs:[00000030h]1_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039BC810 mov eax, dword ptr fs:[00000030h]1_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov eax, dword ptr fs:[00000030h]1_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03952835 mov ecx, dword ptr fs:[00000030h]1_2_03952835
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_004B0B62
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00482622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00482622
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0047083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0047083F
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004709D5 SetUnhandledExceptionFilter,0_2_004709D5
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00470C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00470C21

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtClose: Direct from: 0x76F02B6C
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\verclsid.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: NULL target: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: NULL target: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\verclsid.exeThread register set: target process: 7948Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\verclsid.exeThread APC queued: target process: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2C74008Jump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_004B1201
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00492BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00492BA5
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004BB226 SendInput,keybd_event,0_2_004BB226
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004D22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event,0_2_004D22DA
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exe"Jump to behavior
                Source: C:\Program Files (x86)\ZJVdDTSHvqSjjqQNqNGGpyUZfODRUsROtCgOaWivdOVQCkvHWkEXXCJISuKFITnpLIwzjKRncrXBNUeK\zalkpCfMwtnpQo.exeProcess created: C:\Windows\SysWOW64\verclsid.exe "C:\Windows\SysWOW64\verclsid.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,0_2_004B0B62
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004B1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_004B1663
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exe, zalkpCfMwtnpQo.exe, 00000002.00000002.3549061384.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000000.1752088734.00000000013D0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: zalkpCfMwtnpQo.exe, 00000002.00000002.3549061384.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000000.1752088734.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000000.1908407918.0000000001910000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: zalkpCfMwtnpQo.exe, 00000002.00000002.3549061384.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000000.1752088734.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000000.1908407918.0000000001910000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: zalkpCfMwtnpQo.exe, 00000002.00000002.3549061384.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000002.00000000.1752088734.00000000013D0000.00000002.00000001.00040000.00000000.sdmp, zalkpCfMwtnpQo.exe, 00000007.00000000.1908407918.0000000001910000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_00470698 cpuid 0_2_00470698
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004C8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,0_2_004C8195
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004AD27A GetUserNameW,0_2_004AD27A
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_0048BB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_0048BB6F
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004542DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_004542DE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\verclsid.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\verclsid.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_81
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_XP
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_XPe
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_VISTA
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_7
                Source: Scanned-IMGS_from NomanGroup IDT.scr.exeBinary or memory string: WIN_8

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.3548246487.0000000003320000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3548136805.00000000032D0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.3551901085.0000000005770000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000003.00000002.3547874217.0000000003020000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1829643197.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1835373056.00000000091A0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000001.00000002.1830333241.0000000005AE0000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000002.00000002.3549362625.0000000004810000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004D1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket,0_2_004D1204
                Source: C:\Users\user\Desktop\Scanned-IMGS_from NomanGroup IDT.scr.exeCode function: 0_2_004D1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_004D1806

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets241
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials12
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem1
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1590590 Sample: Scanned-IMGS_from NomanGrou... Startdate: 14/01/2025 Architecture: WINDOWS Score: 100 28 xpremio.online 2->28 30 www.thesquare.world 2->30 32 19 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Antivirus / Scanner detection for submitted sample 2->46 48 7 other signatures 2->48 10 Scanned-IMGS_from NomanGroup IDT.scr.exe 1 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 13 svchost.exe 10->13         started        process6 signatures7 66 Maps a DLL or memory area into another process 13->66 16 zalkpCfMwtnpQo.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 verclsid.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 zalkpCfMwtnpQo.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.nexula.website 67.223.117.142, 57374, 57395, 57411 VIMRO-AS15189US United States 22->34 36 xpremio.online 84.32.84.32, 57616, 57617, 57618 NTT-LT-ASLT Lithuania 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.