Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL408-23-2025.exe

Overview

General Information

Sample name:DHL408-23-2025.exe
Analysis ID:1608107
MD5:6aed7ab2e1947c92588192d6c9ecfa51
SHA1:89ba935c9fd5ac0b74b8ad4cda4d6c3f5ccd87b6
SHA256:19478a15efa45981ccec619c3ebe95f31d3428e42f852d0165c801bad61ed239
Tags:DHLexeFormbookuser-abuse_ch
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Joe Sandbox ML detected suspicious sample
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • DHL408-23-2025.exe (PID: 6964 cmdline: "C:\Users\user\Desktop\DHL408-23-2025.exe" MD5: 6AED7AB2E1947C92588192D6C9ECFA51)
    • svchost.exe (PID: 1412 cmdline: "C:\Users\user\Desktop\DHL408-23-2025.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • 26q1gI5vLCf3f.exe (PID: 6824 cmdline: "C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\R8t9bU8f96B.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
        • unlodctr.exe (PID: 576 cmdline: "C:\Windows\SysWOW64\unlodctr.exe" MD5: EAF86537E26CC81C0767E58F66E01F52)
          • 26q1gI5vLCf3f.exe (PID: 6664 cmdline: "C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\27NFNYl76u0P.exe" MD5: 9C98D1A23EFAF1B156A130CEA7D2EE3A)
          • firefox.exe (PID: 2500 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.3770627432.00000000030F0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.1608689819.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      0000000A.00000002.3770676190.0000000004F70000.00000040.00000001.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000B.00000002.3770714330.0000000003140000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          00000007.00000002.1609692191.0000000005E00000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 2 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              7.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Uncommon Svchost Parent Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\DHL408-23-2025.exe", CommandLine: "C:\Users\user\Desktop\DHL408-23-2025.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL408-23-2025.exe", ParentImage: C:\Users\user\Desktop\DHL408-23-2025.exe, ParentProcessId: 6964, ParentProcessName: DHL408-23-2025.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL408-23-2025.exe", ProcessId: 1412, ProcessName: svchost.exe
                Sigma detected: Windows Processes Suspicious Parent Directory
                Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\DHL408-23-2025.exe", CommandLine: "C:\Users\user\Desktop\DHL408-23-2025.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\DHL408-23-2025.exe", ParentImage: C:\Users\user\Desktop\DHL408-23-2025.exe, ParentProcessId: 6964, ParentProcessName: DHL408-23-2025.exe, ProcessCommandLine: "C:\Users\user\Desktop\DHL408-23-2025.exe", ProcessId: 1412, ProcessName: svchost.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T08:54:46.560521+010020507451Malware Command and Control Activity Detected192.168.2.750007188.114.96.380TCP
                2025-02-06T08:56:28.172727+010020507451Malware Command and Control Activity Detected192.168.2.749971188.114.97.380TCP
                2025-02-06T08:56:41.611665+010020507451Malware Command and Control Activity Detected192.168.2.749975199.59.243.22880TCP
                2025-02-06T08:56:55.752829+010020507451Malware Command and Control Activity Detected192.168.2.749979162.251.95.6280TCP
                2025-02-06T08:57:17.308362+010020507451Malware Command and Control Activity Detected192.168.2.749983172.67.148.21680TCP
                2025-02-06T08:57:31.476227+010020507451Malware Command and Control Activity Detected192.168.2.74998747.83.1.9080TCP
                2025-02-06T08:57:44.789895+010020507451Malware Command and Control Activity Detected192.168.2.749991199.192.21.16980TCP
                2025-02-06T08:58:06.221151+010020507451Malware Command and Control Activity Detected192.168.2.749995104.21.64.180TCP
                2025-02-06T08:58:20.449366+010020507451Malware Command and Control Activity Detected192.168.2.74999947.83.1.9080TCP
                2025-02-06T08:58:42.434573+010020507451Malware Command and Control Activity Detected192.168.2.75000318.139.62.22680TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T08:54:46.560521+010028554651A Network Trojan was detected192.168.2.750007188.114.96.380TCP
                2025-02-06T08:56:28.172727+010028554651A Network Trojan was detected192.168.2.749971188.114.97.380TCP
                2025-02-06T08:56:41.611665+010028554651A Network Trojan was detected192.168.2.749975199.59.243.22880TCP
                2025-02-06T08:56:55.752829+010028554651A Network Trojan was detected192.168.2.749979162.251.95.6280TCP
                2025-02-06T08:57:17.308362+010028554651A Network Trojan was detected192.168.2.749983172.67.148.21680TCP
                2025-02-06T08:57:31.476227+010028554651A Network Trojan was detected192.168.2.74998747.83.1.9080TCP
                2025-02-06T08:57:44.789895+010028554651A Network Trojan was detected192.168.2.749991199.192.21.16980TCP
                2025-02-06T08:58:06.221151+010028554651A Network Trojan was detected192.168.2.749995104.21.64.180TCP
                2025-02-06T08:58:20.449366+010028554651A Network Trojan was detected192.168.2.74999947.83.1.9080TCP
                2025-02-06T08:58:42.434573+010028554651A Network Trojan was detected192.168.2.75000318.139.62.22680TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2025-02-06T08:56:33.930187+010028554641A Network Trojan was detected192.168.2.749972199.59.243.22880TCP
                2025-02-06T08:56:36.485747+010028554641A Network Trojan was detected192.168.2.749973199.59.243.22880TCP
                2025-02-06T08:56:39.037194+010028554641A Network Trojan was detected192.168.2.749974199.59.243.22880TCP
                2025-02-06T08:56:48.094756+010028554641A Network Trojan was detected192.168.2.749976162.251.95.6280TCP
                2025-02-06T08:56:50.677889+010028554641A Network Trojan was detected192.168.2.749977162.251.95.6280TCP
                2025-02-06T08:56:53.221854+010028554641A Network Trojan was detected192.168.2.749978162.251.95.6280TCP
                2025-02-06T08:57:09.627521+010028554641A Network Trojan was detected192.168.2.749980172.67.148.21680TCP
                2025-02-06T08:57:12.214644+010028554641A Network Trojan was detected192.168.2.749981172.67.148.21680TCP
                2025-02-06T08:57:14.738410+010028554641A Network Trojan was detected192.168.2.749982172.67.148.21680TCP
                2025-02-06T08:57:23.811177+010028554641A Network Trojan was detected192.168.2.74998447.83.1.9080TCP
                2025-02-06T08:57:26.349915+010028554641A Network Trojan was detected192.168.2.74998547.83.1.9080TCP
                2025-02-06T08:57:28.998648+010028554641A Network Trojan was detected192.168.2.74998647.83.1.9080TCP
                2025-02-06T08:57:37.121656+010028554641A Network Trojan was detected192.168.2.749988199.192.21.16980TCP
                2025-02-06T08:57:39.675880+010028554641A Network Trojan was detected192.168.2.749989199.192.21.16980TCP
                2025-02-06T08:57:42.243850+010028554641A Network Trojan was detected192.168.2.749990199.192.21.16980TCP
                2025-02-06T08:57:58.552641+010028554641A Network Trojan was detected192.168.2.749992104.21.64.180TCP
                2025-02-06T08:58:01.094039+010028554641A Network Trojan was detected192.168.2.749993104.21.64.180TCP
                2025-02-06T08:58:03.656584+010028554641A Network Trojan was detected192.168.2.749994104.21.64.180TCP
                2025-02-06T08:58:12.685110+010028554641A Network Trojan was detected192.168.2.74999647.83.1.9080TCP
                2025-02-06T08:58:15.271883+010028554641A Network Trojan was detected192.168.2.74999747.83.1.9080TCP
                2025-02-06T08:58:17.998954+010028554641A Network Trojan was detected192.168.2.74999847.83.1.9080TCP
                2025-02-06T08:58:34.565988+010028554641A Network Trojan was detected192.168.2.75000018.139.62.22680TCP
                2025-02-06T08:58:37.128476+010028554641A Network Trojan was detected192.168.2.75000118.139.62.22680TCP
                2025-02-06T08:58:39.787651+010028554641A Network Trojan was detected192.168.2.75000218.139.62.22680TCP
                2025-02-06T08:58:49.002073+010028554641A Network Trojan was detected192.168.2.750004188.114.96.380TCP
                2025-02-06T08:58:51.550248+010028554641A Network Trojan was detected192.168.2.750005188.114.96.380TCP
                2025-02-06T08:58:54.092885+010028554641A Network Trojan was detected192.168.2.750006188.114.96.380TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: http://www.uzshou.world/ricr/?5zslr=DsJJ9LHvO2HIHRqWbycc87uiexZjeMq0lcbG2YQL94noaGFETLMOBonxxstsOEJaR2W2DKPzfgEtUmgcU+0uX1q4fptdeb2Yt7H4X0kre9/yFizf3ktzl3kjaJqCIH29I0hfxrLu4OeU&pdV=X2i0x2VXvdphLAvira URL Cloud: Label: malware
                Source: http://www.maplesyrup7.click/4nhb/?pdV=X2i0x2VXvdphL&5zslr=VRdPyVGvBNL0zGb1/LX2eA9H2AyHXSKUQOSO7cd8EnuFzx+YHnq+DUXdslaENlV63J3iVXi+q6zCQbLR2W+jmEnaSLT1ODpggZpMfTloX0+gD61ZrkW6laUiEKAmlykl6Y00X1VXvA02Avira URL Cloud: Label: malware
                Source: http://www.uzshou.world/ricr/Avira URL Cloud: Label: malware
                Multi AV Scanner detection for submitted file
                Source: DHL408-23-2025.exeVirustotal: Detection: 54%Perma Link
                Source: DHL408-23-2025.exeReversingLabs: Detection: 44%
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3770627432.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1608689819.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3770676190.0000000004F70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3770714330.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1609692191.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3761687109.0000000002C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1609630340.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Joe Sandbox ML detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: DHL408-23-2025.exeJoe Sandbox ML: detected
                Source: DHL408-23-2025.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: Binary string: unlodctr.pdbGCTL source: svchost.exe, 00000007.00000003.1575006259.000000000321A000.00000004.00000020.00020000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000A.00000003.1547152663.0000000001475000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: DHL408-23-2025.exe, 00000005.00000003.1307072245.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, DHL408-23-2025.exe, 00000005.00000003.1297644119.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1609200442.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1609200442.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1512126737.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1501787508.0000000003500000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.1609062328.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.1611697679.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771105717.0000000003350000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771105717.00000000034EE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: DHL408-23-2025.exe, 00000005.00000003.1307072245.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, DHL408-23-2025.exe, 00000005.00000003.1297644119.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000002.1609200442.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1609200442.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1512126737.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1501787508.0000000003500000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, unlodctr.exe, 0000000B.00000003.1609062328.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.1611697679.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771105717.0000000003350000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771105717.00000000034EE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: unlodctr.pdb source: svchost.exe, 00000007.00000003.1575006259.000000000321A000.00000004.00000020.00020000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000A.00000003.1547152663.0000000001475000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: unlodctr.exe, 0000000B.00000002.3771914586.000000000397C000.00000004.10000000.00040000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3763426046.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000002.3771522454.000000000287C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2013302221.0000000039D9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: unlodctr.exe, 0000000B.00000002.3771914586.000000000397C000.00000004.10000000.00040000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3763426046.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000002.3771522454.000000000287C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2013302221.0000000039D9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 26q1gI5vLCf3f.exe, 0000000A.00000000.1528946193.000000000032F000.00000002.00000001.01000000.00000005.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000000.1688003645.000000000032F000.00000002.00000001.01000000.00000005.sdmp
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00764696 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00764696
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076C93C FindFirstFileW,FindClose,5_2_0076C93C
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_0076C9C7
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0076F200
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0076F35D
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0076F65E
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00763A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00763A2B
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00763D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00763D4E
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0076BF27
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C3C640 FindFirstFileW,FindNextFileW,FindClose,11_2_02C3C640
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 4x nop then xor eax, eax11_2_02C29F70
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 4x nop then pop edi11_2_02C2E335
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 4x nop then mov ebx, 00000004h11_2_03230530

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49989 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49993 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49972 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49980 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49985 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49982 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49997 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50003 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50003 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49975 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49974 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49990 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49984 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49979 -> 162.251.95.62:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49979 -> 162.251.95.62:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49973 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49975 -> 199.59.243.228:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50001 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49988 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49971 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49971 -> 188.114.97.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50005 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49992 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49981 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49994 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49977 -> 162.251.95.62:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49976 -> 162.251.95.62:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50006 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49999 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49999 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49978 -> 162.251.95.62:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49995 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49995 -> 104.21.64.1:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49996 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50000 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49998 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49983 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49983 -> 172.67.148.216:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49991 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49991 -> 199.192.21.169:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50002 -> 18.139.62.226:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:49987 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:49987 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:49986 -> 47.83.1.90:80
                Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.7:50004 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.7:50007 -> 188.114.96.3:80
                Source: Network trafficSuricata IDS: 2855465 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (GET) M2 : 192.168.2.7:50007 -> 188.114.96.3:80
                Source: Joe Sandbox ViewIP Address: 199.192.21.169 199.192.21.169
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007725E2 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,5_2_007725E2
                Source: global trafficHTTP traffic detected: GET /4nhb/?pdV=X2i0x2VXvdphL&5zslr=VRdPyVGvBNL0zGb1/LX2eA9H2AyHXSKUQOSO7cd8EnuFzx+YHnq+DUXdslaENlV63J3iVXi+q6zCQbLR2W+jmEnaSLT1ODpggZpMfTloX0+gD61ZrkW6laUiEKAmlykl6Y00X1VXvA02 HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.maplesyrup7.clickConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /nmrk/?5zslr=/0sxYx23xH8xi+H92xBLqAoDenm++sB28j8aWDRWCja+tef/r7M3KSHAsxEmH2Ql1ZDI27EdC/CcGrRNLTkBe6WdkSTdfImu6/kdZztaHwEq69nrORip0Bo19Em7wk/ekCPUI99inSlp&pdV=X2i0x2VXvdphL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.marketyemen.holdingsConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /9aud/?pdV=X2i0x2VXvdphL&5zslr=r3lbX71h7q0AHy0nd+4HAz2oLQu8OXKXCKCSBMbv4rPFPtn+x9pbH5vfUhpnGKcWhU2ilqg7+CZg+6VCYnHUE1FgUCxmjKBIbfS38CC/7dTQbEKm5z0eOPx8OvD3jAsfSDg9wNhIWjPf HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.y6h6kn.topConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /c83d/?5zslr=jxTzUjVIZaofx7jxvDDEI5l6EJZyHIhT1kOq3tJuXTxbUN1TAIK6B8Trk2pOixsdDrzfQtiDoeEPrKkrg6muyVp1ujzm5Plwp2Cmk0sxdLQCkHUMMyqe04m3o4EBI5SO3HMpQfvA/wDC&pdV=X2i0x2VXvdphL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.overlayoasis.questConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /7nib/?5zslr=uKRRcKiI80JDE6w2z4LSkf1Y4qy8boHcKbVaQWL/Xt+siAoLAxBeiwuetBJvIJ3z2UyZcnBi9xP8ZgG+7UIAUDW4ANOdbaqnOllXsdCRo89nTM/ULVBhFqfLUW7p0h50P4MdnEQXqbtl&pdV=X2i0x2VXvdphL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.sutbkn.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /stiu/?5zslr=KuvrM/srG3MDLqFAjh29riB2m/1J48Y6mn0u9MF7YlgnCmWeycT1gm8orALA86E9qUKhYi6qgKN/iUA6gvmuWip50T5l8tDLHoCWIR//UIR27WSes/yYn6CDVv9lXwni3s6Vo3jwZ3bW&pdV=X2i0x2VXvdphL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.lonfor.websiteConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /ricr/?5zslr=DsJJ9LHvO2HIHRqWbycc87uiexZjeMq0lcbG2YQL94noaGFETLMOBonxxstsOEJaR2W2DKPzfgEtUmgcU+0uX1q4fptdeb2Yt7H4X0kre9/yFizf3ktzl3kjaJqCIH29I0hfxrLu4OeU&pdV=X2i0x2VXvdphL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.uzshou.worldConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /mywm/?5zslr=IUYy1jDll+i8jXwybg5it4J8tmExGnjgj5hASYJF1IMJpVkU6oGvrctxMh0PV/CFKzqvEY5ZBre3he+5VeLrF7zU6K7PXKn3zkPtYkG6SkGXIh8r4KwIfbi2XiH+LodszekZY26Zb95s&pdV=X2i0x2VXvdphL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.cruycq.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /9pfv/?5zslr=4OnzTJjygr2UF7Bo3IIt6EuMs+K86EkwPktcWvnjVwKZvZNFQVh3xXhpI5/VT8S49BEfwU+ZbRCA5JqqUY9HOL4gqkY/npHJKGxOC3TvlocXLqY+2czEjxBsux+As9b8Tir5hRtXpiKV&pdV=X2i0x2VXvdphL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.sonixingenuine.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficHTTP traffic detected: GET /3mxj/?5zslr=jq8S2rqRH/pZTeuct5Ln65rRfLRqj0GLt3opqtgh95OppUWlnF+WZ7yWZ1F/cjBn/beCaAR7umgcREbbKfJqAl30pk1VlEoJW8bfgEzZ2haZ8mLlKgISglKtUewv8W6DYJA01+hpkVZd&pdV=X2i0x2VXvdphL HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-USHost: www.clzt.shopConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)
                Source: global trafficDNS traffic detected: DNS query: www.nosolofichas.online
                Source: global trafficDNS traffic detected: DNS query: www.clubhoodies.shop
                Source: global trafficDNS traffic detected: DNS query: www.maplesyrup7.click
                Source: global trafficDNS traffic detected: DNS query: www.marketyemen.holdings
                Source: global trafficDNS traffic detected: DNS query: www.y6h6kn.top
                Source: global trafficDNS traffic detected: DNS query: www.x3kwqc5tye4vl90y.top
                Source: global trafficDNS traffic detected: DNS query: www.overlayoasis.quest
                Source: global trafficDNS traffic detected: DNS query: www.sutbkn.info
                Source: global trafficDNS traffic detected: DNS query: www.lonfor.website
                Source: global trafficDNS traffic detected: DNS query: www.cozythreads.store
                Source: global trafficDNS traffic detected: DNS query: www.uzshou.world
                Source: global trafficDNS traffic detected: DNS query: www.cruycq.info
                Source: global trafficDNS traffic detected: DNS query: www.dnft.immo
                Source: global trafficDNS traffic detected: DNS query: www.sonixingenuine.shop
                Source: global trafficDNS traffic detected: DNS query: www.clzt.shop
                Source: unknownHTTP traffic detected: POST /nmrk/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflate, brAccept-Language: en-USHost: www.marketyemen.holdingsContent-Length: 218Cache-Control: max-age=0Content-Type: application/x-www-form-urlencodedConnection: closeOrigin: http://www.marketyemen.holdingsReferer: http://www.marketyemen.holdings/nmrk/User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; InfoPath.3; .NET4.0C; .NET4.0E)Data Raw: 35 7a 73 6c 72 3d 79 32 45 52 62 45 69 70 31 6a 42 56 6a 65 7a 4b 31 52 4a 55 73 6c 77 2f 55 56 62 4b 6a 73 56 61 76 44 46 65 5a 77 56 4d 64 77 71 67 6f 74 33 38 73 37 35 69 49 53 54 72 34 42 34 4e 47 48 41 64 34 49 43 32 33 4b 51 57 44 4e 66 49 45 49 39 63 62 77 4a 42 53 62 72 36 32 53 4f 31 4b 35 69 56 2b 4e 31 47 4f 30 70 63 65 67 31 4d 2f 72 44 2b 4f 6e 79 38 73 67 52 58 74 6c 61 75 74 44 58 46 35 54 43 70 42 59 46 34 31 77 52 71 45 77 34 64 4a 51 56 31 33 68 73 2b 47 78 2b 6e 51 6f 52 47 76 79 39 65 34 78 56 37 4c 51 58 41 4f 35 47 32 50 52 71 4b 72 70 59 6a 4f 6c 69 38 4d 4e 78 76 35 69 4b 46 63 43 46 35 68 54 53 4c 6e 50 44 4e 38 41 3d 3d Data Ascii: 5zslr=y2ERbEip1jBVjezK1RJUslw/UVbKjsVavDFeZwVMdwqgot38s75iISTr4B4NGHAd4IC23KQWDNfIEI9cbwJBSbr62SO1K5iV+N1GO0pceg1M/rD+Ony8sgRXtlautDXF5TCpBYF41wRqEw4dJQV13hs+Gx+nQoRGvy9e4xV7LQXAO5G2PRqKrpYjOli8MNxv5iKFcCF5hTSLnPDN8A==
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:56:47 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:56:50 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:56:53 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Thu, 06 Feb 2025 07:56:55 GMTContent-Type: text/htmlContent-Length: 148Connection: closeETag: "674427dd-94"Data Raw: 0a 3c 68 74 6d 6c 3e 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a 20 20 20 20 20 20 20 20 Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 07:57:23 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 07:57:26 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:57:37 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:57:39 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:57:42 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404"><h1>4<span>0</s
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 06 Feb 2025 07:57:44 GMTServer: ApacheContent-Length: 774Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 3e 0d 0a 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 58 2d 55 41 2d 43 6f 6d 70 61 74 69 62 6c 65 22 20 63 6f 6e 74 65 6e 74 3d 22 49 45 3d 65 64 67 65 22 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 3e 0d 0a 0d 0a 09 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 52 6f 62 6f 74 6f 3a 34 30 30 2c 37 30 30 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 3e 0d 0a 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 63 73 73 2f 73 74 79 6c 65 34 30 34 2e 63 73 73 22 20 2f 3e 0d 0a 0d 0a 3c 2f 68 65 61 64 3e 0d 0a 0d 0a 3c 62 6f 64 79 3e 0d 0a 0d 0a 09 3c 64 69 76 20 69 64 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 22 3e 0d 0a 09 09 09 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 34 30 34 22 3e 0d 0a 09 09 09 09 3c 68 31 3e 34 3c 73 70 61 6e 3e 30 3c 2f 73 70 61 6e 3e 34 3c 2f 68 31 3e 0d 0a 09 09 09 3c 2f 64 69 76 3e 0d 0a 09 09 09 3c 68 32 3e 74 68 65 20 70 61 67 65 20 79 6f 75 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 09 09 09 3c 66 6f 72 6d 20 63 6c 61 73 73 3d 22 6e 6f 74 66 6f 75 6e 64 2d 73 65 61 72 63 68 22 3e 0d 0a 09 09 09 09 3c 69 6e 70 75 74 20 74 79 70 65 3d 22 74 65 78 74 22 20 70 6c 61 63 65 68 6f 6c 64 65 72 3d 22 53 65 61 72 63 68 2e 2e 2e 22 3e 0d 0a 09 09 09 09 3c 62 75 74 74 6f 6e 20 74 79 70 65 3d 22 62 75 74 74 6f 6e 22 3e 3c 73 70 61 6e 3e 3c 2f 73 70 61 6e 3e 3c 2f 62 75 74 74 6f 6e 3e 0d 0a 09 09 09 3c 2f 66 6f 72 6d 3e 0d 0a 09 09 3c 2f 64 69 76 3e 0d 0a 09 3c 2f 64 69 76 3e 0d 0a 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width, initial-scale=1"><title>404 Not Found</title><link href="https://fonts.googleapis.com/css?family=Roboto:400,700" rel="stylesheet"><link type="text/css" rel="stylesheet" href="/css/style404.css" /></head><body><div id="notfound"><div class="notfound"><div class="notfound-404">
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 07:58:12 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Thu, 06 Feb 2025 07:58:15 GMTTransfer-Encoding: chunkedConnection: closeData Raw: 30 0d 0a 0d 0a Data Ascii: 0
                Source: 26q1gI5vLCf3f.exe, 0000000C.00000002.3771011915.0000000002504000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.clzt.shop
                Source: 26q1gI5vLCf3f.exe, 0000000C.00000002.3771011915.0000000002504000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.clzt.shop/3mxj/
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: unlodctr.exe, 0000000B.00000002.3771914586.00000000049F4000.00000004.10000000.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000002.3771522454.00000000038F4000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
                Source: unlodctr.exe, 0000000B.00000002.3763426046.0000000002E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                Source: unlodctr.exe, 0000000B.00000002.3763426046.0000000002E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                Source: unlodctr.exe, 0000000B.00000002.3763426046.0000000002E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                Source: unlodctr.exe, 0000000B.00000002.3763426046.0000000002E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
                Source: unlodctr.exe, 0000000B.00000002.3763426046.0000000002E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                Source: unlodctr.exe, 0000000B.00000002.3763426046.0000000002E2C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                Source: unlodctr.exe, 0000000B.00000003.1902725558.0000000007CC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007CEA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: unlodctr.exe, 0000000B.00000002.3773563125.0000000006230000.00000004.00000800.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771914586.000000000421A000.00000004.10000000.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000002.3771522454.000000000311A000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.google.com
                Source: unlodctr.exe, 0000000B.00000002.3771914586.00000000051CE000.00000004.10000000.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000002.3771522454.00000000040CE000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sonixingenuine.shop/9pfv/?5zslr=4OnzTJjygr2UF7Bo3IIt6EuMs
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0077425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_0077425A
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00774458 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,5_2_00774458
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0077425A OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,5_2_0077425A
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00760219 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,5_2_00760219
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0078CDAC DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,5_2_0078CDAC

                E-Banking Fraud

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3770627432.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1608689819.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3770676190.0000000004F70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3770714330.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1609692191.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3761687109.0000000002C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1609630340.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

                System Summary

                barindex
                Binary is likely a compiled AutoIt script file
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: This is a third-party compiled AutoIt script.5_2_00703B4C
                Source: DHL408-23-2025.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                Source: DHL408-23-2025.exe, 00000005.00000000.1275542991.00000000007B5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_4a82fe16-4
                Source: DHL408-23-2025.exe, 00000005.00000000.1275542991.00000000007B5000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_16a4f3bf-5
                Source: DHL408-23-2025.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_d9cc6acd-b
                Source: DHL408-23-2025.exeString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_a8b96ea7-8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042C713 NtClose,7_2_0042C713
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972B60 NtClose,LdrInitializeThunk,7_2_03972B60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972DF0 NtQuerySystemInformation,LdrInitializeThunk,7_2_03972DF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972C70 NtFreeVirtualMemory,LdrInitializeThunk,7_2_03972C70
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039735C0 NtCreateMutant,LdrInitializeThunk,7_2_039735C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03974340 NtSetContextThread,7_2_03974340
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03974650 NtSuspendThread,7_2_03974650
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972B80 NtQueryInformationFile,7_2_03972B80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972BA0 NtEnumerateValueKey,7_2_03972BA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972BF0 NtAllocateVirtualMemory,7_2_03972BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972BE0 NtQueryValueKey,7_2_03972BE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972AB0 NtWaitForSingleObject,7_2_03972AB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972AD0 NtReadFile,7_2_03972AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972AF0 NtWriteFile,7_2_03972AF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972F90 NtProtectVirtualMemory,7_2_03972F90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972FB0 NtResumeThread,7_2_03972FB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972FA0 NtQuerySection,7_2_03972FA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972FE0 NtCreateFile,7_2_03972FE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972F30 NtCreateSection,7_2_03972F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972F60 NtCreateProcessEx,7_2_03972F60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972E80 NtReadVirtualMemory,7_2_03972E80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972EA0 NtAdjustPrivilegesToken,7_2_03972EA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972EE0 NtQueueApcThread,7_2_03972EE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972E30 NtWriteVirtualMemory,7_2_03972E30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972DB0 NtEnumerateKey,7_2_03972DB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972DD0 NtDelayExecution,7_2_03972DD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972D10 NtMapViewOfSection,7_2_03972D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972D00 NtSetInformationFile,7_2_03972D00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972D30 NtUnmapViewOfSection,7_2_03972D30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972CA0 NtQueryInformationToken,7_2_03972CA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972CC0 NtQueryVirtualMemory,7_2_03972CC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972CF0 NtOpenProcess,7_2_03972CF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972C00 NtQueryInformationProcess,7_2_03972C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972C60 NtCreateKey,7_2_03972C60
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03973090 NtSetValueKey,7_2_03973090
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03973010 NtOpenDirectoryObject,7_2_03973010
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039739B0 NtGetContextThread,7_2_039739B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03973D10 NtOpenProcessToken,7_2_03973D10
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03973D70 NtOpenThread,7_2_03973D70
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C4340 NtSetContextThread,LdrInitializeThunk,11_2_033C4340
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C4650 NtSuspendThread,LdrInitializeThunk,11_2_033C4650
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2B60 NtClose,LdrInitializeThunk,11_2_033C2B60
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2BA0 NtEnumerateValueKey,LdrInitializeThunk,11_2_033C2BA0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2BF0 NtAllocateVirtualMemory,LdrInitializeThunk,11_2_033C2BF0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2BE0 NtQueryValueKey,LdrInitializeThunk,11_2_033C2BE0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2AF0 NtWriteFile,LdrInitializeThunk,11_2_033C2AF0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2AD0 NtReadFile,LdrInitializeThunk,11_2_033C2AD0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2F30 NtCreateSection,LdrInitializeThunk,11_2_033C2F30
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2FB0 NtResumeThread,LdrInitializeThunk,11_2_033C2FB0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2FE0 NtCreateFile,LdrInitializeThunk,11_2_033C2FE0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2E80 NtReadVirtualMemory,LdrInitializeThunk,11_2_033C2E80
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2EE0 NtQueueApcThread,LdrInitializeThunk,11_2_033C2EE0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2D30 NtUnmapViewOfSection,LdrInitializeThunk,11_2_033C2D30
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2D10 NtMapViewOfSection,LdrInitializeThunk,11_2_033C2D10
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2DF0 NtQuerySystemInformation,LdrInitializeThunk,11_2_033C2DF0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2DD0 NtDelayExecution,LdrInitializeThunk,11_2_033C2DD0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2C70 NtFreeVirtualMemory,LdrInitializeThunk,11_2_033C2C70
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2C60 NtCreateKey,LdrInitializeThunk,11_2_033C2C60
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2CA0 NtQueryInformationToken,LdrInitializeThunk,11_2_033C2CA0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C35C0 NtCreateMutant,LdrInitializeThunk,11_2_033C35C0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C39B0 NtGetContextThread,LdrInitializeThunk,11_2_033C39B0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2B80 NtQueryInformationFile,11_2_033C2B80
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2AB0 NtWaitForSingleObject,11_2_033C2AB0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2F60 NtCreateProcessEx,11_2_033C2F60
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2FA0 NtQuerySection,11_2_033C2FA0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2F90 NtProtectVirtualMemory,11_2_033C2F90
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2E30 NtWriteVirtualMemory,11_2_033C2E30
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2EA0 NtAdjustPrivilegesToken,11_2_033C2EA0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2D00 NtSetInformationFile,11_2_033C2D00
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2DB0 NtEnumerateKey,11_2_033C2DB0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2C00 NtQueryInformationProcess,11_2_033C2C00
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2CF0 NtOpenProcess,11_2_033C2CF0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C2CC0 NtQueryVirtualMemory,11_2_033C2CC0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C3010 NtOpenDirectoryObject,11_2_033C3010
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C3090 NtSetValueKey,11_2_033C3090
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C3D10 NtOpenProcessToken,11_2_033C3D10
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C3D70 NtOpenThread,11_2_033C3D70
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C49260 NtReadFile,11_2_02C49260
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C493F0 NtClose,11_2_02C493F0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C49350 NtDeleteFile,11_2_02C49350
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C490F0 NtCreateFile,11_2_02C490F0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C49550 NtAllocateVirtualMemory,11_2_02C49550
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0323F232 NtQueryInformationProcess,11_2_0323F232
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00764021: CreateFileW,DeviceIoControl,CloseHandle,5_2_00764021
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00758858 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,5_2_00758858
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076545F ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,5_2_0076545F
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0070E8005_2_0070E800
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0072DBB55_2_0072DBB5
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0070FE405_2_0070FE40
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0070E0605_2_0070E060
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0078804A5_2_0078804A
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007141405_2_00714140
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007224055_2_00722405
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007365225_2_00736522
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0073267E5_2_0073267E
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007806655_2_00780665
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007168435_2_00716843
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0072283A5_2_0072283A
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007389DF5_2_007389DF
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00718A0E5_2_00718A0E
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00780AE25_2_00780AE2
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00736A945_2_00736A94
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00768B135_2_00768B13
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0075EB075_2_0075EB07
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0072CD615_2_0072CD61
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007370065_2_00737006
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0071710E5_2_0071710E
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007131905_2_00713190
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007012875_2_00701287
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007233C75_2_007233C7
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0072F4195_2_0072F419
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007216C45_2_007216C4
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007156805_2_00715680
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007278D35_2_007278D3
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007158C05_2_007158C0
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00721BB85_2_00721BB8
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00739D055_2_00739D05
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0072BFE65_2_0072BFE6
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00721FD05_2_00721FD0
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_017269D05_2_017269D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004187E37_2_004187E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004100237_2_00410023
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004030807_2_00403080
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004169EE7_2_004169EE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004169F37_2_004169F3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040299F7_2_0040299F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004029A07_2_004029A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004102437_2_00410243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E2537_2_0040E253
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E3977_2_0040E397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040E3A37_2_0040E3A3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004014407_2_00401440
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004044D57_2_004044D5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0042ECE37_2_0042ECE3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004025EA7_2_004025EA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004025F07_2_004025F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004046987_2_00404698
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004047167_2_00404716
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A003E67_2_03A003E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E3F07_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FA3527_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C02C07_2_039C02C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E02747_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A001AA7_2_03A001AA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F81CC7_2_039F81CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA1187_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039301007_2_03930100
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C81587_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D20007_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393C7C07_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039647507_2_03964750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039407707_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395C6E07_2_0395C6E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A005917_2_03A00591
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039405357_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EE4F67_2_039EE4F6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F24467_2_039F2446
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F6BD77_2_039F6BD7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FAB407_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA807_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A0A9A67_2_03A0A9A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A07_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039569627_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039268B87_2_039268B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E8F07_2_0396E8F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394A8407_2_0394A840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039428407_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BEFA07_2_039BEFA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932FC87_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394CFE07_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03960F307_2_03960F30
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03982F287_2_03982F28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B4F407_2_039B4F40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952E907_2_03952E90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FCE937_2_039FCE93
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FEEDB7_2_039FEEDB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FEE267_2_039FEE26
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940E597_2_03940E59
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03958DBF7_2_03958DBF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393ADE07_2_0393ADE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394AD007_2_0394AD00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0CB57_2_039E0CB5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930CF27_2_03930CF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940C007_2_03940C00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0398739A7_2_0398739A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F132D7_2_039F132D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392D34C7_2_0392D34C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039452A07_2_039452A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395B2C07_2_0395B2C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E12ED7_2_039E12ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394B1B07_2_0394B1B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A0B16B7_2_03A0B16B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392F1727_2_0392F172
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397516C7_2_0397516C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EF0CC7_2_039EF0CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039470C07_2_039470C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F70E97_2_039F70E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FF0E07_2_039FF0E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FF7B07_2_039FF7B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F16CC7_2_039F16CC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DD5B07_2_039DD5B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F75717_2_039F7571
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FF43F7_2_039FF43F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039314607_2_03931460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395FB807_2_0395FB80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B5BF07_2_039B5BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397DBF97_2_0397DBF9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFB767_2_039FFB76
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DDAAC7_2_039DDAAC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03985AA07_2_03985AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EDAC67_2_039EDAC6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFA497_2_039FFA49
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F7A467_2_039F7A46
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B3A6C7_2_039B3A6C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D59107_2_039D5910
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039499507_2_03949950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395B9507_2_0395B950
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039438E07_2_039438E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AD8007_2_039AD800
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03941F927_2_03941F92
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFFB17_2_039FFFB1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFF097_2_039FFF09
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03949EB07_2_03949EB0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395FDC07_2_0395FDC0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F1D5A7_2_039F1D5A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03943D407_2_03943D40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F7D737_2_039F7D73
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FFCF27_2_039FFCF2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B9C327_2_039B9C32
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529299810_2_05292998
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_05288C7210_2_05288C72
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_052B348010_2_052B3480
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_052947C010_2_052947C0
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_05288E3510_2_05288E35
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_05288EB310_2_05288EB3
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529B18B10_2_0529B18B
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529B19010_2_0529B190
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_052949E010_2_052949E0
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_05292B3410_2_05292B34
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_05292B4010_2_05292B40
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344A35211_2_0344A352
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_034503E611_2_034503E6
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339E3F011_2_0339E3F0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0343027411_2_03430274
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_034102C011_2_034102C0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0341815811_2_03418158
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0338010011_2_03380100
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0342A11811_2_0342A118
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_034481CC11_2_034481CC
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_034501AA11_2_034501AA
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0342200011_2_03422000
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339077011_2_03390770
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033B475011_2_033B4750
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0338C7C011_2_0338C7C0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033AC6E011_2_033AC6E0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339053511_2_03390535
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0345059111_2_03450591
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344244611_2_03442446
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0343E4F611_2_0343E4F6
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344AB4011_2_0344AB40
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03446BD711_2_03446BD7
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0338EA8011_2_0338EA80
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033A696211_2_033A6962
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033929A011_2_033929A0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0345A9A611_2_0345A9A6
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339284011_2_03392840
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339A84011_2_0339A840
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033768B811_2_033768B8
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033BE8F011_2_033BE8F0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03404F4011_2_03404F40
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033B0F3011_2_033B0F30
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033D2F2811_2_033D2F28
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339CFE011_2_0339CFE0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0340EFA011_2_0340EFA0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03382FC811_2_03382FC8
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03390E5911_2_03390E59
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344EE2611_2_0344EE26
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344EEDB11_2_0344EEDB
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033A2E9011_2_033A2E90
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344CE9311_2_0344CE93
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339AD0011_2_0339AD00
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033A8DBF11_2_033A8DBF
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0338ADE011_2_0338ADE0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03390C0011_2_03390C00
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03380CF211_2_03380CF2
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03430CB511_2_03430CB5
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344132D11_2_0344132D
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0337D34C11_2_0337D34C
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033D739A11_2_033D739A
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033952A011_2_033952A0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_034312ED11_2_034312ED
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033AB2C011_2_033AB2C0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0345B16B11_2_0345B16B
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0337F17211_2_0337F172
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033C516C11_2_033C516C
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339B1B011_2_0339B1B0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0343F0CC11_2_0343F0CC
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344F0E011_2_0344F0E0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_034470E911_2_034470E9
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033970C011_2_033970C0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344F7B011_2_0344F7B0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_034416CC11_2_034416CC
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344757111_2_03447571
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0342D5B011_2_0342D5B0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0338146011_2_03381460
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344F43F11_2_0344F43F
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344FB7611_2_0344FB76
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03405BF011_2_03405BF0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033AFB8011_2_033AFB80
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033CDBF911_2_033CDBF9
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03447A4611_2_03447A46
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344FA4911_2_0344FA49
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03403A6C11_2_03403A6C
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0343DAC611_2_0343DAC6
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033D5AA011_2_033D5AA0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0342DAAC11_2_0342DAAC
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0342591011_2_03425910
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0339995011_2_03399950
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033AB95011_2_033AB950
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033FD80011_2_033FD800
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033938E011_2_033938E0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344FF0911_2_0344FF09
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03391F9211_2_03391F92
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344FFB111_2_0344FFB1
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03399EB011_2_03399EB0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03441D5A11_2_03441D5A
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03447D7311_2_03447D73
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03393D4011_2_03393D40
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_033AFDC011_2_033AFDC0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_03409C3211_2_03409C32
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0344FCF211_2_0344FCF2
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C31E4011_2_02C31E40
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C213F311_2_02C213F3
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C2137511_2_02C21375
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C2B08011_2_02C2B080
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C2B07411_2_02C2B074
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C211B211_2_02C211B2
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C336CB11_2_02C336CB
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C336D011_2_02C336D0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C354C011_2_02C354C0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C4B9C011_2_02C4B9C0
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C2CF2011_2_02C2CF20
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C2AF3011_2_02C2AF30
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C2CD0011_2_02C2CD00
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0323E3A411_2_0323E3A4
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0323E4C311_2_0323E4C3
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0323D92811_2_0323D928
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_0323E85C11_2_0323E85C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0392B970 appears 272 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03975130 appears 57 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039AEA12 appears 86 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 039BF290 appears 105 times
                Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03987E54 appears 100 times
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: String function: 00728B40 appears 42 times
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: String function: 00720D27 appears 70 times
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: String function: 00707F41 appears 35 times
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: String function: 033D7E54 appears 100 times
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: String function: 0337B970 appears 272 times
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: String function: 033FEA12 appears 86 times
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: String function: 0340F290 appears 105 times
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: String function: 033C5130 appears 57 times
                Source: DHL408-23-2025.exe, 00000005.00000003.1308523264.00000000041C3000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL408-23-2025.exe
                Source: DHL408-23-2025.exe, 00000005.00000003.1308663043.000000000436D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs DHL408-23-2025.exe
                Source: DHL408-23-2025.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@15/9
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076A2D5 GetLastError,FormatMessageW,5_2_0076A2D5
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00758713 AdjustTokenPrivileges,CloseHandle,5_2_00758713
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00758CC3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,5_2_00758CC3
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076B59E SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,5_2_0076B59E
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0077F121 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_0077F121
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076C602 CoInitialize,CoCreateInstance,CoUninitialize,5_2_0076C602
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00704FE9 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,5_2_00704FE9
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeFile created: C:\Users\user~1\AppData\Local\Temp\aut308C.tmpJump to behavior
                Source: DHL408-23-2025.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unlodctr.exe, 0000000B.00000002.3763426046.0000000002EC2000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.1903963380.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3763426046.0000000002E94000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3763426046.0000000002E9F000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.1903851906.0000000002E73000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: DHL408-23-2025.exeVirustotal: Detection: 54%
                Source: DHL408-23-2025.exeReversingLabs: Detection: 44%
                Source: unknownProcess created: C:\Users\user\Desktop\DHL408-23-2025.exe "C:\Users\user\Desktop\DHL408-23-2025.exe"
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL408-23-2025.exe"
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeProcess created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL408-23-2025.exe"Jump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeProcess created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: loadperf.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: ieframe.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: netapi32.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: wkscli.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: mlang.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: winsqlite3.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: vaultcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                Source: DHL408-23-2025.exeStatic file information: File size 1183232 > 1048576
                Source: DHL408-23-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                Source: DHL408-23-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                Source: DHL408-23-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                Source: DHL408-23-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: DHL408-23-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                Source: DHL408-23-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                Source: DHL408-23-2025.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: unlodctr.pdbGCTL source: svchost.exe, 00000007.00000003.1575006259.000000000321A000.00000004.00000020.00020000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000A.00000003.1547152663.0000000001475000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdbUGP source: DHL408-23-2025.exe, 00000005.00000003.1307072245.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, DHL408-23-2025.exe, 00000005.00000003.1297644119.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1609200442.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1609200442.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1512126737.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1501787508.0000000003500000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.1609062328.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.1611697679.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771105717.0000000003350000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771105717.00000000034EE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: wntdll.pdb source: DHL408-23-2025.exe, 00000005.00000003.1307072245.00000000040A0000.00000004.00001000.00020000.00000000.sdmp, DHL408-23-2025.exe, 00000005.00000003.1297644119.00000000041F0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000007.00000002.1609200442.0000000003900000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.1609200442.0000000003A9E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1512126737.0000000003700000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.1501787508.0000000003500000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, unlodctr.exe, 0000000B.00000003.1609062328.0000000002FF9000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000003.1611697679.00000000031AA000.00000004.00000020.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771105717.0000000003350000.00000040.00001000.00020000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3771105717.00000000034EE000.00000040.00001000.00020000.00000000.sdmp
                Source: Binary string: unlodctr.pdb source: svchost.exe, 00000007.00000003.1575006259.000000000321A000.00000004.00000020.00020000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000A.00000003.1547152663.0000000001475000.00000004.00000001.00020000.00000000.sdmp
                Source: Binary string: svchost.pdb source: unlodctr.exe, 0000000B.00000002.3771914586.000000000397C000.00000004.10000000.00040000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3763426046.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000002.3771522454.000000000287C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2013302221.0000000039D9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: svchost.pdbUGP source: unlodctr.exe, 0000000B.00000002.3771914586.000000000397C000.00000004.10000000.00040000.00000000.sdmp, unlodctr.exe, 0000000B.00000002.3763426046.0000000002E0E000.00000004.00000020.00020000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000002.3771522454.000000000287C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000010.00000002.2013302221.0000000039D9C000.00000004.80000000.00040000.00000000.sdmp
                Source: Binary string: C:\Work\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: 26q1gI5vLCf3f.exe, 0000000A.00000000.1528946193.000000000032F000.00000002.00000001.01000000.00000005.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000000.1688003645.000000000032F000.00000002.00000001.01000000.00000005.sdmp
                Source: DHL408-23-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                Source: DHL408-23-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                Source: DHL408-23-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                Source: DHL408-23-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                Source: DHL408-23-2025.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0077C304 LoadLibraryA,GetProcAddress,5_2_0077C304
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0070C590 push eax; retn 0070h5_2_0070C599
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00728B85 push ecx; ret 5_2_00728B98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041E855 push edi; ret 7_2_0041E86F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041E863 push edi; ret 7_2_0041E86F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004178F6 push esp; iretd 7_2_004178FD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00401896 pushfd ; ret 7_2_004018A1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00419187 push edx; iretd 7_2_00419196
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417193 pushad ; iretd 7_2_004171E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00402250 push eax; ret 7_2_00402391
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00406AC7 push ebx; retf 7_2_00406ACA
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004022FF push eax; ret 7_2_00402391
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004172FE pushad ; iretd 7_2_0041730D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417303 pushad ; iretd 7_2_0041730D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00403320 push eax; ret 7_2_00403322
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004023A1 push eax; ret 7_2_00402391
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417401 push 147C1A69h; iretd 7_2_0041740E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0040D4E5 push ds; ret 7_2_0040D4E6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00418546 push esi; ret 7_2_00418556
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_004085DF push ebp; retf 7_2_004085E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0041F5B3 push edi; ret 7_2_0041F5BE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00418E7C pushad ; retf 7_2_00418E8A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039309AD push ecx; mov dword ptr [esp], ecx7_2_039309B6
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0528CD7C push ebp; retf 10_2_0528CD84
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_05291C82 push ds; ret 10_2_05291C83
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529CCE3 push esi; ret 10_2_0529CCF3
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529D619 pushad ; retf 10_2_0529D627
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529D924 push edx; iretd 10_2_0529D933
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529B930 pushad ; iretd 10_2_0529B983
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529C093 push esp; iretd 10_2_0529C09A
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0529BB9E push 147C1A69h; iretd 10_2_0529BBAB
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeCode function: 10_2_0528B264 push ebx; retf 10_2_0528B267
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00704A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00704A35
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007855FD IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,5_2_007855FD
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007233C7 EncodePointer,__initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,5_2_007233C7
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Switches to a custom stack to bypass stack traces
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeAPI/Special instruction interceptor: Address: 17265F4
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI/Special instruction interceptor: Address: 7FFB2CECD324
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI/Special instruction interceptor: Address: 7FFB2CECD7E4
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI/Special instruction interceptor: Address: 7FFB2CECD944
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI/Special instruction interceptor: Address: 7FFB2CECD504
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI/Special instruction interceptor: Address: 7FFB2CECD544
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI/Special instruction interceptor: Address: 7FFB2CECD1E4
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI/Special instruction interceptor: Address: 7FFB2CED0154
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI/Special instruction interceptor: Address: 7FFB2CECDA44
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E rdtsc 7_2_0397096E
                Source: C:\Windows\SysWOW64\unlodctr.exeWindow / User API: threadDelayed 9842Jump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeAPI coverage: 4.9 %
                Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                Source: C:\Windows\SysWOW64\unlodctr.exeAPI coverage: 2.7 %
                Source: C:\Windows\SysWOW64\unlodctr.exe TID: 2056Thread sleep count: 131 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exe TID: 2056Thread sleep time: -262000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exe TID: 2056Thread sleep count: 9842 > 30Jump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exe TID: 2056Thread sleep time: -19684000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exe TID: 2196Thread sleep time: -75000s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exe TID: 2196Thread sleep time: -40500s >= -30000sJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exe TID: 2196Thread sleep count: 35 > 30Jump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exe TID: 2196Thread sleep time: -35000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeLast function: Thread delayed
                Source: C:\Windows\SysWOW64\unlodctr.exeLast function: Thread delayed
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00764696 GetFileAttributesW,FindFirstFileW,FindClose,5_2_00764696
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076C93C FindFirstFileW,FindClose,5_2_0076C93C
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076C9C7 FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,5_2_0076C9C7
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076F200 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0076F200
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076F35D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,5_2_0076F35D
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076F65E FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0076F65E
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00763A2B FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00763A2B
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00763D4E FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose,5_2_00763D4E
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0076BF27 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,5_2_0076BF27
                Source: C:\Windows\SysWOW64\unlodctr.exeCode function: 11_2_02C3C640 FindFirstFileW,FindNextFileW,FindClose,11_2_02C3C640
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00704AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00704AFE
                Source: 9250-GI.11.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: 9250-GI.11.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,1169649
                Source: 9250-GI.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: 9250-GI.11.drBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: 9250-GI.11.drBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: 9250-GI.11.drBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: 9250-GI.11.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: oft.visualstudio.comVMware20,11696492231x
                Source: 9250-GI.11.drBinary or memory string: AMC password management pageVMware20,11696492231
                Source: 9250-GI.11.drBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: 9250-GI.11.drBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,1169649&z
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: East & CentralVMware20,11696492231
                Source: 9250-GI.11.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: 9250-GI.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: 9250-GI.11.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: 9250-GI.11.drBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: n PasswordVMware20,11696492231x
                Source: 9250-GI.11.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: 9250-GI.11.drBinary or memory string: discord.comVMware20,11696492231f
                Source: 26q1gI5vLCf3f.exe, 0000000C.00000002.3769313116.00000000009F9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000010.00000002.2014934444.0000020779C6C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: 9250-GI.11.drBinary or memory string: global block list test formVMware20,11696492231
                Source: 9250-GI.11.drBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: 9250-GI.11.drBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: 9250-GI.11.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: 9250-GI.11.drBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: 9250-GI.11.drBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: unlodctr.exe, 0000000B.00000002.3763426046.0000000002E0E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll/
                Source: 9250-GI.11.drBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: 9250-GI.11.drBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: 9250-GI.11.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,1169649223
                Source: 9250-GI.11.drBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: 9250-GI.11.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,1(z
                Source: 9250-GI.11.drBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: 9250-GI.11.drBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20"
                Source: unlodctr.exe, 0000000B.00000002.3773716577.0000000007D54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,1169649Tz0
                Source: 9250-GI.11.drBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: 9250-GI.11.drBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeAPI call chain: ExitProcess graph end nodegraph_5-98433
                Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess queried: DebugPortJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E rdtsc 7_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_00417983 LdrLoadDll,7_2_00417983
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007741FD BlockInput,5_2_007741FD
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00703B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00703B4C
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00735CCC EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,5_2_00735CCC
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0077C304 LoadLibraryA,GetProcAddress,5_2_0077C304
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_01725220 mov eax, dword ptr fs:[00000030h]5_2_01725220
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_01726860 mov eax, dword ptr fs:[00000030h]5_2_01726860
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_017268C0 mov eax, dword ptr fs:[00000030h]5_2_017268C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928397 mov eax, dword ptr fs:[00000030h]7_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928397 mov eax, dword ptr fs:[00000030h]7_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928397 mov eax, dword ptr fs:[00000030h]7_2_03928397
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E388 mov eax, dword ptr fs:[00000030h]7_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E388 mov eax, dword ptr fs:[00000030h]7_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E388 mov eax, dword ptr fs:[00000030h]7_2_0392E388
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395438F mov eax, dword ptr fs:[00000030h]7_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395438F mov eax, dword ptr fs:[00000030h]7_2_0395438F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D43D4 mov eax, dword ptr fs:[00000030h]7_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D43D4 mov eax, dword ptr fs:[00000030h]7_2_039D43D4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EC3CD mov eax, dword ptr fs:[00000030h]7_2_039EC3CD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A3C0 mov eax, dword ptr fs:[00000030h]7_2_0393A3C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039383C0 mov eax, dword ptr fs:[00000030h]7_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039383C0 mov eax, dword ptr fs:[00000030h]7_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039383C0 mov eax, dword ptr fs:[00000030h]7_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039383C0 mov eax, dword ptr fs:[00000030h]7_2_039383C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B63C0 mov eax, dword ptr fs:[00000030h]7_2_039B63C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E3F0 mov eax, dword ptr fs:[00000030h]7_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E3F0 mov eax, dword ptr fs:[00000030h]7_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E3F0 mov eax, dword ptr fs:[00000030h]7_2_0394E3F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039663FF mov eax, dword ptr fs:[00000030h]7_2_039663FF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039403E9 mov eax, dword ptr fs:[00000030h]7_2_039403E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C310 mov ecx, dword ptr fs:[00000030h]7_2_0392C310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03950310 mov ecx, dword ptr fs:[00000030h]7_2_03950310
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A30B mov eax, dword ptr fs:[00000030h]7_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A30B mov eax, dword ptr fs:[00000030h]7_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A30B mov eax, dword ptr fs:[00000030h]7_2_0396A30B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov ecx, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B035C mov eax, dword ptr fs:[00000030h]7_2_039B035C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FA352 mov eax, dword ptr fs:[00000030h]7_2_039FA352
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D8350 mov ecx, dword ptr fs:[00000030h]7_2_039D8350
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B2349 mov eax, dword ptr fs:[00000030h]7_2_039B2349
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D437C mov eax, dword ptr fs:[00000030h]7_2_039D437C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E284 mov eax, dword ptr fs:[00000030h]7_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E284 mov eax, dword ptr fs:[00000030h]7_2_0396E284
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B0283 mov eax, dword ptr fs:[00000030h]7_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B0283 mov eax, dword ptr fs:[00000030h]7_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B0283 mov eax, dword ptr fs:[00000030h]7_2_039B0283
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402A0 mov eax, dword ptr fs:[00000030h]7_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402A0 mov eax, dword ptr fs:[00000030h]7_2_039402A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov ecx, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C62A0 mov eax, dword ptr fs:[00000030h]7_2_039C62A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A2C3 mov eax, dword ptr fs:[00000030h]7_2_0393A2C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402E1 mov eax, dword ptr fs:[00000030h]7_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402E1 mov eax, dword ptr fs:[00000030h]7_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039402E1 mov eax, dword ptr fs:[00000030h]7_2_039402E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392823B mov eax, dword ptr fs:[00000030h]7_2_0392823B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A250 mov eax, dword ptr fs:[00000030h]7_2_0392A250
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936259 mov eax, dword ptr fs:[00000030h]7_2_03936259
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B8243 mov eax, dword ptr fs:[00000030h]7_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B8243 mov ecx, dword ptr fs:[00000030h]7_2_039B8243
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E0274 mov eax, dword ptr fs:[00000030h]7_2_039E0274
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934260 mov eax, dword ptr fs:[00000030h]7_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934260 mov eax, dword ptr fs:[00000030h]7_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934260 mov eax, dword ptr fs:[00000030h]7_2_03934260
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392826B mov eax, dword ptr fs:[00000030h]7_2_0392826B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B019F mov eax, dword ptr fs:[00000030h]7_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B019F mov eax, dword ptr fs:[00000030h]7_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B019F mov eax, dword ptr fs:[00000030h]7_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B019F mov eax, dword ptr fs:[00000030h]7_2_039B019F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A197 mov eax, dword ptr fs:[00000030h]7_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A197 mov eax, dword ptr fs:[00000030h]7_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A197 mov eax, dword ptr fs:[00000030h]7_2_0392A197
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03970185 mov eax, dword ptr fs:[00000030h]7_2_03970185
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EC188 mov eax, dword ptr fs:[00000030h]7_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039EC188 mov eax, dword ptr fs:[00000030h]7_2_039EC188
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D4180 mov eax, dword ptr fs:[00000030h]7_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D4180 mov eax, dword ptr fs:[00000030h]7_2_039D4180
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A061E5 mov eax, dword ptr fs:[00000030h]7_2_03A061E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov eax, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov eax, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov ecx, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov eax, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE1D0 mov eax, dword ptr fs:[00000030h]7_2_039AE1D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F61C3 mov eax, dword ptr fs:[00000030h]7_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F61C3 mov eax, dword ptr fs:[00000030h]7_2_039F61C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039601F8 mov eax, dword ptr fs:[00000030h]7_2_039601F8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA118 mov ecx, dword ptr fs:[00000030h]7_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA118 mov eax, dword ptr fs:[00000030h]7_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA118 mov eax, dword ptr fs:[00000030h]7_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DA118 mov eax, dword ptr fs:[00000030h]7_2_039DA118
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F0115 mov eax, dword ptr fs:[00000030h]7_2_039F0115
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03960124 mov eax, dword ptr fs:[00000030h]7_2_03960124
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C156 mov eax, dword ptr fs:[00000030h]7_2_0392C156
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C8158 mov eax, dword ptr fs:[00000030h]7_2_039C8158
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936154 mov eax, dword ptr fs:[00000030h]7_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936154 mov eax, dword ptr fs:[00000030h]7_2_03936154
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov eax, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov eax, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov ecx, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov eax, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C4144 mov eax, dword ptr fs:[00000030h]7_2_039C4144
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393208A mov eax, dword ptr fs:[00000030h]7_2_0393208A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F60B8 mov eax, dword ptr fs:[00000030h]7_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F60B8 mov ecx, dword ptr fs:[00000030h]7_2_039F60B8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C80A8 mov eax, dword ptr fs:[00000030h]7_2_039C80A8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B20DE mov eax, dword ptr fs:[00000030h]7_2_039B20DE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C0F0 mov eax, dword ptr fs:[00000030h]7_2_0392C0F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039720F0 mov ecx, dword ptr fs:[00000030h]7_2_039720F0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A0E3 mov ecx, dword ptr fs:[00000030h]7_2_0392A0E3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039380E9 mov eax, dword ptr fs:[00000030h]7_2_039380E9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B60E0 mov eax, dword ptr fs:[00000030h]7_2_039B60E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E016 mov eax, dword ptr fs:[00000030h]7_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E016 mov eax, dword ptr fs:[00000030h]7_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E016 mov eax, dword ptr fs:[00000030h]7_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E016 mov eax, dword ptr fs:[00000030h]7_2_0394E016
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B4000 mov ecx, dword ptr fs:[00000030h]7_2_039B4000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D2000 mov eax, dword ptr fs:[00000030h]7_2_039D2000
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6030 mov eax, dword ptr fs:[00000030h]7_2_039C6030
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392A020 mov eax, dword ptr fs:[00000030h]7_2_0392A020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C020 mov eax, dword ptr fs:[00000030h]7_2_0392C020
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932050 mov eax, dword ptr fs:[00000030h]7_2_03932050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6050 mov eax, dword ptr fs:[00000030h]7_2_039B6050
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395C073 mov eax, dword ptr fs:[00000030h]7_2_0395C073
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D678E mov eax, dword ptr fs:[00000030h]7_2_039D678E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039307AF mov eax, dword ptr fs:[00000030h]7_2_039307AF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393C7C0 mov eax, dword ptr fs:[00000030h]7_2_0393C7C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B07C3 mov eax, dword ptr fs:[00000030h]7_2_039B07C3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039347FB mov eax, dword ptr fs:[00000030h]7_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039347FB mov eax, dword ptr fs:[00000030h]7_2_039347FB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039527ED mov eax, dword ptr fs:[00000030h]7_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039527ED mov eax, dword ptr fs:[00000030h]7_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039527ED mov eax, dword ptr fs:[00000030h]7_2_039527ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BE7E1 mov eax, dword ptr fs:[00000030h]7_2_039BE7E1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930710 mov eax, dword ptr fs:[00000030h]7_2_03930710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03960710 mov eax, dword ptr fs:[00000030h]7_2_03960710
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C700 mov eax, dword ptr fs:[00000030h]7_2_0396C700
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396273C mov eax, dword ptr fs:[00000030h]7_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396273C mov ecx, dword ptr fs:[00000030h]7_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396273C mov eax, dword ptr fs:[00000030h]7_2_0396273C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AC730 mov eax, dword ptr fs:[00000030h]7_2_039AC730
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C720 mov eax, dword ptr fs:[00000030h]7_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C720 mov eax, dword ptr fs:[00000030h]7_2_0396C720
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930750 mov eax, dword ptr fs:[00000030h]7_2_03930750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BE75D mov eax, dword ptr fs:[00000030h]7_2_039BE75D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972750 mov eax, dword ptr fs:[00000030h]7_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972750 mov eax, dword ptr fs:[00000030h]7_2_03972750
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B4755 mov eax, dword ptr fs:[00000030h]7_2_039B4755
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396674D mov esi, dword ptr fs:[00000030h]7_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396674D mov eax, dword ptr fs:[00000030h]7_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396674D mov eax, dword ptr fs:[00000030h]7_2_0396674D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938770 mov eax, dword ptr fs:[00000030h]7_2_03938770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940770 mov eax, dword ptr fs:[00000030h]7_2_03940770
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934690 mov eax, dword ptr fs:[00000030h]7_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934690 mov eax, dword ptr fs:[00000030h]7_2_03934690
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039666B0 mov eax, dword ptr fs:[00000030h]7_2_039666B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C6A6 mov eax, dword ptr fs:[00000030h]7_2_0396C6A6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A6C7 mov ebx, dword ptr fs:[00000030h]7_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A6C7 mov eax, dword ptr fs:[00000030h]7_2_0396A6C7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE6F2 mov eax, dword ptr fs:[00000030h]7_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE6F2 mov eax, dword ptr fs:[00000030h]7_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE6F2 mov eax, dword ptr fs:[00000030h]7_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE6F2 mov eax, dword ptr fs:[00000030h]7_2_039AE6F2
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B06F1 mov eax, dword ptr fs:[00000030h]7_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B06F1 mov eax, dword ptr fs:[00000030h]7_2_039B06F1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03972619 mov eax, dword ptr fs:[00000030h]7_2_03972619
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE609 mov eax, dword ptr fs:[00000030h]7_2_039AE609
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394260B mov eax, dword ptr fs:[00000030h]7_2_0394260B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394E627 mov eax, dword ptr fs:[00000030h]7_2_0394E627
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03966620 mov eax, dword ptr fs:[00000030h]7_2_03966620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968620 mov eax, dword ptr fs:[00000030h]7_2_03968620
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393262C mov eax, dword ptr fs:[00000030h]7_2_0393262C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394C640 mov eax, dword ptr fs:[00000030h]7_2_0394C640
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03962674 mov eax, dword ptr fs:[00000030h]7_2_03962674
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F866E mov eax, dword ptr fs:[00000030h]7_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F866E mov eax, dword ptr fs:[00000030h]7_2_039F866E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A660 mov eax, dword ptr fs:[00000030h]7_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A660 mov eax, dword ptr fs:[00000030h]7_2_0396A660
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E59C mov eax, dword ptr fs:[00000030h]7_2_0396E59C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932582 mov eax, dword ptr fs:[00000030h]7_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932582 mov ecx, dword ptr fs:[00000030h]7_2_03932582
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03964588 mov eax, dword ptr fs:[00000030h]7_2_03964588
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039545B1 mov eax, dword ptr fs:[00000030h]7_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039545B1 mov eax, dword ptr fs:[00000030h]7_2_039545B1
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B05A7 mov eax, dword ptr fs:[00000030h]7_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B05A7 mov eax, dword ptr fs:[00000030h]7_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B05A7 mov eax, dword ptr fs:[00000030h]7_2_039B05A7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039365D0 mov eax, dword ptr fs:[00000030h]7_2_039365D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A5D0 mov eax, dword ptr fs:[00000030h]7_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A5D0 mov eax, dword ptr fs:[00000030h]7_2_0396A5D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E5CF mov eax, dword ptr fs:[00000030h]7_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E5CF mov eax, dword ptr fs:[00000030h]7_2_0396E5CF
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E5E7 mov eax, dword ptr fs:[00000030h]7_2_0395E5E7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039325E0 mov eax, dword ptr fs:[00000030h]7_2_039325E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C5ED mov eax, dword ptr fs:[00000030h]7_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C5ED mov eax, dword ptr fs:[00000030h]7_2_0396C5ED
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6500 mov eax, dword ptr fs:[00000030h]7_2_039C6500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04500 mov eax, dword ptr fs:[00000030h]7_2_03A04500
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940535 mov eax, dword ptr fs:[00000030h]7_2_03940535
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E53E mov eax, dword ptr fs:[00000030h]7_2_0395E53E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938550 mov eax, dword ptr fs:[00000030h]7_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938550 mov eax, dword ptr fs:[00000030h]7_2_03938550
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396656A mov eax, dword ptr fs:[00000030h]7_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396656A mov eax, dword ptr fs:[00000030h]7_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396656A mov eax, dword ptr fs:[00000030h]7_2_0396656A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039644B0 mov ecx, dword ptr fs:[00000030h]7_2_039644B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BA4B0 mov eax, dword ptr fs:[00000030h]7_2_039BA4B0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039364AB mov eax, dword ptr fs:[00000030h]7_2_039364AB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039304E5 mov ecx, dword ptr fs:[00000030h]7_2_039304E5
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968402 mov eax, dword ptr fs:[00000030h]7_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968402 mov eax, dword ptr fs:[00000030h]7_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968402 mov eax, dword ptr fs:[00000030h]7_2_03968402
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A430 mov eax, dword ptr fs:[00000030h]7_2_0396A430
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E420 mov eax, dword ptr fs:[00000030h]7_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E420 mov eax, dword ptr fs:[00000030h]7_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392E420 mov eax, dword ptr fs:[00000030h]7_2_0392E420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392C427 mov eax, dword ptr fs:[00000030h]7_2_0392C427
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B6420 mov eax, dword ptr fs:[00000030h]7_2_039B6420
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392645D mov eax, dword ptr fs:[00000030h]7_2_0392645D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395245A mov eax, dword ptr fs:[00000030h]7_2_0395245A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396E443 mov eax, dword ptr fs:[00000030h]7_2_0396E443
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395A470 mov eax, dword ptr fs:[00000030h]7_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395A470 mov eax, dword ptr fs:[00000030h]7_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395A470 mov eax, dword ptr fs:[00000030h]7_2_0395A470
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC460 mov ecx, dword ptr fs:[00000030h]7_2_039BC460
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940BBE mov eax, dword ptr fs:[00000030h]7_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940BBE mov eax, dword ptr fs:[00000030h]7_2_03940BBE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039DEBD0 mov eax, dword ptr fs:[00000030h]7_2_039DEBD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03950BCB mov eax, dword ptr fs:[00000030h]7_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03950BCB mov eax, dword ptr fs:[00000030h]7_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03950BCB mov eax, dword ptr fs:[00000030h]7_2_03950BCB
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930BCD mov eax, dword ptr fs:[00000030h]7_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930BCD mov eax, dword ptr fs:[00000030h]7_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930BCD mov eax, dword ptr fs:[00000030h]7_2_03930BCD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938BF0 mov eax, dword ptr fs:[00000030h]7_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938BF0 mov eax, dword ptr fs:[00000030h]7_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938BF0 mov eax, dword ptr fs:[00000030h]7_2_03938BF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EBFC mov eax, dword ptr fs:[00000030h]7_2_0395EBFC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BCBF0 mov eax, dword ptr fs:[00000030h]7_2_039BCBF0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AEB1D mov eax, dword ptr fs:[00000030h]7_2_039AEB1D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EB20 mov eax, dword ptr fs:[00000030h]7_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EB20 mov eax, dword ptr fs:[00000030h]7_2_0395EB20
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F8B28 mov eax, dword ptr fs:[00000030h]7_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039F8B28 mov eax, dword ptr fs:[00000030h]7_2_039F8B28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6B40 mov eax, dword ptr fs:[00000030h]7_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6B40 mov eax, dword ptr fs:[00000030h]7_2_039C6B40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FAB40 mov eax, dword ptr fs:[00000030h]7_2_039FAB40
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D8B42 mov eax, dword ptr fs:[00000030h]7_2_039D8B42
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392CB7E mov eax, dword ptr fs:[00000030h]7_2_0392CB7E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03968A90 mov edx, dword ptr fs:[00000030h]7_2_03968A90
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393EA80 mov eax, dword ptr fs:[00000030h]7_2_0393EA80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04A80 mov eax, dword ptr fs:[00000030h]7_2_03A04A80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938AA0 mov eax, dword ptr fs:[00000030h]7_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03938AA0 mov eax, dword ptr fs:[00000030h]7_2_03938AA0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03986AA4 mov eax, dword ptr fs:[00000030h]7_2_03986AA4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930AD0 mov eax, dword ptr fs:[00000030h]7_2_03930AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03964AD0 mov eax, dword ptr fs:[00000030h]7_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03964AD0 mov eax, dword ptr fs:[00000030h]7_2_03964AD0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03986ACC mov eax, dword ptr fs:[00000030h]7_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03986ACC mov eax, dword ptr fs:[00000030h]7_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03986ACC mov eax, dword ptr fs:[00000030h]7_2_03986ACC
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396AAEE mov eax, dword ptr fs:[00000030h]7_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396AAEE mov eax, dword ptr fs:[00000030h]7_2_0396AAEE
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BCA11 mov eax, dword ptr fs:[00000030h]7_2_039BCA11
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03954A35 mov eax, dword ptr fs:[00000030h]7_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03954A35 mov eax, dword ptr fs:[00000030h]7_2_03954A35
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA38 mov eax, dword ptr fs:[00000030h]7_2_0396CA38
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA24 mov eax, dword ptr fs:[00000030h]7_2_0396CA24
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EA2E mov eax, dword ptr fs:[00000030h]7_2_0395EA2E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03936A50 mov eax, dword ptr fs:[00000030h]7_2_03936A50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940A5B mov eax, dword ptr fs:[00000030h]7_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03940A5B mov eax, dword ptr fs:[00000030h]7_2_03940A5B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039ACA72 mov eax, dword ptr fs:[00000030h]7_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039ACA72 mov eax, dword ptr fs:[00000030h]7_2_039ACA72
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA6F mov eax, dword ptr fs:[00000030h]7_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA6F mov eax, dword ptr fs:[00000030h]7_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CA6F mov eax, dword ptr fs:[00000030h]7_2_0396CA6F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B89B3 mov esi, dword ptr fs:[00000030h]7_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B89B3 mov eax, dword ptr fs:[00000030h]7_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B89B3 mov eax, dword ptr fs:[00000030h]7_2_039B89B3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039429A0 mov eax, dword ptr fs:[00000030h]7_2_039429A0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039309AD mov eax, dword ptr fs:[00000030h]7_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039309AD mov eax, dword ptr fs:[00000030h]7_2_039309AD
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0393A9D0 mov eax, dword ptr fs:[00000030h]7_2_0393A9D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039649D0 mov eax, dword ptr fs:[00000030h]7_2_039649D0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FA9D3 mov eax, dword ptr fs:[00000030h]7_2_039FA9D3
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C69C0 mov eax, dword ptr fs:[00000030h]7_2_039C69C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039629F9 mov eax, dword ptr fs:[00000030h]7_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039629F9 mov eax, dword ptr fs:[00000030h]7_2_039629F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BE9E0 mov eax, dword ptr fs:[00000030h]7_2_039BE9E0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC912 mov eax, dword ptr fs:[00000030h]7_2_039BC912
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928918 mov eax, dword ptr fs:[00000030h]7_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03928918 mov eax, dword ptr fs:[00000030h]7_2_03928918
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE908 mov eax, dword ptr fs:[00000030h]7_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039AE908 mov eax, dword ptr fs:[00000030h]7_2_039AE908
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B892A mov eax, dword ptr fs:[00000030h]7_2_039B892A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C892B mov eax, dword ptr fs:[00000030h]7_2_039C892B
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039B0946 mov eax, dword ptr fs:[00000030h]7_2_039B0946
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D4978 mov eax, dword ptr fs:[00000030h]7_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D4978 mov eax, dword ptr fs:[00000030h]7_2_039D4978
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC97C mov eax, dword ptr fs:[00000030h]7_2_039BC97C
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03956962 mov eax, dword ptr fs:[00000030h]7_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03956962 mov eax, dword ptr fs:[00000030h]7_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03956962 mov eax, dword ptr fs:[00000030h]7_2_03956962
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E mov eax, dword ptr fs:[00000030h]7_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E mov edx, dword ptr fs:[00000030h]7_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0397096E mov eax, dword ptr fs:[00000030h]7_2_0397096E
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC89D mov eax, dword ptr fs:[00000030h]7_2_039BC89D
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03930887 mov eax, dword ptr fs:[00000030h]7_2_03930887
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395E8C0 mov eax, dword ptr fs:[00000030h]7_2_0395E8C0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C8F9 mov eax, dword ptr fs:[00000030h]7_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396C8F9 mov eax, dword ptr fs:[00000030h]7_2_0396C8F9
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039FA8E4 mov eax, dword ptr fs:[00000030h]7_2_039FA8E4
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BC810 mov eax, dword ptr fs:[00000030h]7_2_039BC810
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov eax, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov eax, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov eax, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov ecx, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov eax, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03952835 mov eax, dword ptr fs:[00000030h]7_2_03952835
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396A830 mov eax, dword ptr fs:[00000030h]7_2_0396A830
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D483A mov eax, dword ptr fs:[00000030h]7_2_039D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039D483A mov eax, dword ptr fs:[00000030h]7_2_039D483A
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03960854 mov eax, dword ptr fs:[00000030h]7_2_03960854
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934859 mov eax, dword ptr fs:[00000030h]7_2_03934859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03934859 mov eax, dword ptr fs:[00000030h]7_2_03934859
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03942840 mov ecx, dword ptr fs:[00000030h]7_2_03942840
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BE872 mov eax, dword ptr fs:[00000030h]7_2_039BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039BE872 mov eax, dword ptr fs:[00000030h]7_2_039BE872
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6870 mov eax, dword ptr fs:[00000030h]7_2_039C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039C6870 mov eax, dword ptr fs:[00000030h]7_2_039C6870
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03962F98 mov eax, dword ptr fs:[00000030h]7_2_03962F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03962F98 mov eax, dword ptr fs:[00000030h]7_2_03962F98
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CF80 mov eax, dword ptr fs:[00000030h]7_2_0396CF80
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03A04FE7 mov eax, dword ptr fs:[00000030h]7_2_03A04FE7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392EFD8 mov eax, dword ptr fs:[00000030h]7_2_0392EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392EFD8 mov eax, dword ptr fs:[00000030h]7_2_0392EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392EFD8 mov eax, dword ptr fs:[00000030h]7_2_0392EFD8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932FC8 mov eax, dword ptr fs:[00000030h]7_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932FC8 mov eax, dword ptr fs:[00000030h]7_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932FC8 mov eax, dword ptr fs:[00000030h]7_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932FC8 mov eax, dword ptr fs:[00000030h]7_2_03932FC8
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03970FF6 mov eax, dword ptr fs:[00000030h]7_2_03970FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03970FF6 mov eax, dword ptr fs:[00000030h]7_2_03970FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03970FF6 mov eax, dword ptr fs:[00000030h]7_2_03970FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03970FF6 mov eax, dword ptr fs:[00000030h]7_2_03970FF6
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E6FF7 mov eax, dword ptr fs:[00000030h]7_2_039E6FF7
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394CFE0 mov eax, dword ptr fs:[00000030h]7_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0394CFE0 mov eax, dword ptr fs:[00000030h]7_2_0394CFE0
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_03932F12 mov eax, dword ptr fs:[00000030h]7_2_03932F12
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CF1F mov eax, dword ptr fs:[00000030h]7_2_0396CF1F
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_039E6F00 mov eax, dword ptr fs:[00000030h]7_2_039E6F00
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0395EF28 mov eax, dword ptr fs:[00000030h]7_2_0395EF28
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392CF50 mov eax, dword ptr fs:[00000030h]7_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392CF50 mov eax, dword ptr fs:[00000030h]7_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392CF50 mov eax, dword ptr fs:[00000030h]7_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392CF50 mov eax, dword ptr fs:[00000030h]7_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392CF50 mov eax, dword ptr fs:[00000030h]7_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0392CF50 mov eax, dword ptr fs:[00000030h]7_2_0392CF50
                Source: C:\Windows\SysWOW64\svchost.exeCode function: 7_2_0396CF50 mov eax, dword ptr fs:[00000030h]7_2_0396CF50
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_007581F7
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0072A364 SetUnhandledExceptionFilter,5_2_0072A364
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0072A395 SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_0072A395

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtWriteVirtualMemory: Direct from: 0x77762E3CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtMapViewOfSection: Direct from: 0x77762D1CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtNotifyChangeKey: Direct from: 0x77763C2CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtCreateMutant: Direct from: 0x777635CCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtResumeThread: Direct from: 0x777636ACJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtProtectVirtualMemory: Direct from: 0x77757B2EJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtQuerySystemInformation: Direct from: 0x77762DFCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtAllocateVirtualMemory: Direct from: 0x77762BFCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtReadFile: Direct from: 0x77762ADCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtDelayExecution: Direct from: 0x77762DDCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtWriteVirtualMemory: Direct from: 0x7776490CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtQueryInformationProcess: Direct from: 0x77762C26Jump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtResumeThread: Direct from: 0x77762FBCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtCreateUserProcess: Direct from: 0x7776371CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtSetInformationThread: Direct from: 0x777563F9Jump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtOpenKeyEx: Direct from: 0x77763C9CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtSetInformationThread: Direct from: 0x77762B4CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtQueryAttributesFile: Direct from: 0x77762E6CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtClose: Direct from: 0x77762B6C
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtReadVirtualMemory: Direct from: 0x77762E8CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtCreateKey: Direct from: 0x77762C6CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtQuerySystemInformation: Direct from: 0x777648CCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtAllocateVirtualMemory: Direct from: 0x777648ECJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtQueryVolumeInformationFile: Direct from: 0x77762F2CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtOpenSection: Direct from: 0x77762E0CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtDeviceIoControlFile: Direct from: 0x77762AECJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtQueryValueKey: Direct from: 0x77762BECJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtQueryInformationToken: Direct from: 0x77762CACJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtTerminateThread: Direct from: 0x77762FCCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtCreateFile: Direct from: 0x77762FECJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtOpenFile: Direct from: 0x77762DCCJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtOpenKeyEx: Direct from: 0x77762B9CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtSetInformationProcess: Direct from: 0x77762C5CJump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeNtProtectVirtualMemory: Direct from: 0x77762F9CJump to behavior
                Maps a DLL or memory area into another process
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\unlodctr.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: NULL target: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: NULL target: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exe protection: execute and read and writeJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                Modifies the context of a thread in another process (thread injection)
                Source: C:\Windows\SysWOW64\unlodctr.exeThread register set: target process: 2500Jump to behavior
                Queues an APC in another process (thread injection)
                Source: C:\Windows\SysWOW64\unlodctr.exeThread APC queued: target process: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeJump to behavior
                Writes to foreign memory regions
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2DB4008Jump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00758C93 LogonUserW,5_2_00758C93
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00703B4C GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,5_2_00703B4C
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00704A35 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,5_2_00704A35
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00764EF5 mouse_event,5_2_00764EF5
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\DHL408-23-2025.exe"Jump to behavior
                Source: C:\Program Files (x86)\TrjTXjzdfjVmjRpSOkhjGrYjmiMGfZywYXusRdcpqewaXcgUBPIrCYMAyNwUkljhYfZAWNioczkU\26q1gI5vLCf3f.exeProcess created: C:\Windows\SysWOW64\unlodctr.exe "C:\Windows\SysWOW64\unlodctr.exe"Jump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007581F7 GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,5_2_007581F7
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00764C03 AllocateAndInitializeSid,CheckTokenMembership,FreeSid,5_2_00764C03
                Source: DHL408-23-2025.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
                Source: DHL408-23-2025.exe, 26q1gI5vLCf3f.exe, 0000000A.00000002.3768190381.00000000019E1000.00000002.00000001.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000A.00000000.1529368383.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000000.1688389493.0000000000E60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                Source: 26q1gI5vLCf3f.exe, 0000000A.00000002.3768190381.00000000019E1000.00000002.00000001.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000A.00000000.1529368383.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000000.1688389493.0000000000E60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                Source: 26q1gI5vLCf3f.exe, 0000000A.00000002.3768190381.00000000019E1000.00000002.00000001.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000A.00000000.1529368383.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000000.1688389493.0000000000E60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: ?Program Manager
                Source: 26q1gI5vLCf3f.exe, 0000000A.00000002.3768190381.00000000019E1000.00000002.00000001.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000A.00000000.1529368383.00000000019E0000.00000002.00000001.00040000.00000000.sdmp, 26q1gI5vLCf3f.exe, 0000000C.00000000.1688389493.0000000000E60000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0072886B cpuid 5_2_0072886B
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_007350D7 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,5_2_007350D7
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00742230 GetUserNameW,5_2_00742230
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_0073418A __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,5_2_0073418A
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00704AFE GetVersionExW,GetCurrentProcess,IsWow64Process,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo,5_2_00704AFE

                Stealing of Sensitive Information

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3770627432.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1608689819.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3770676190.0000000004F70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3770714330.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1609692191.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3761687109.0000000002C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1609630340.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Windows\SysWOW64\unlodctr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                Source: C:\Windows\SysWOW64\unlodctr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Windows\SysWOW64\unlodctr.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                Source: DHL408-23-2025.exeBinary or memory string: WIN_81
                Source: DHL408-23-2025.exeBinary or memory string: WIN_XP
                Source: DHL408-23-2025.exeBinary or memory string: WIN_XPe
                Source: DHL408-23-2025.exeBinary or memory string: WIN_VISTA
                Source: DHL408-23-2025.exeBinary or memory string: WIN_7
                Source: DHL408-23-2025.exeBinary or memory string: WIN_8
                Source: DHL408-23-2025.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_10WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 14, 4USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte

                Remote Access Functionality

                barindex
                Yara detected FormBook
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0000000B.00000002.3770627432.00000000030F0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1608689819.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000A.00000002.3770676190.0000000004F70000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3770714330.0000000003140000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1609692191.0000000005E00000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000000B.00000002.3761687109.0000000002C20000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000002.1609630340.0000000003C50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00776596 socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,5_2_00776596
                Source: C:\Users\user\Desktop\DHL408-23-2025.exeCode function: 5_2_00776A5A socket,WSAGetLastError,bind,WSAGetLastError,closesocket,5_2_00776A5A

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire Infrastructure2
                Valid Accounts                		1
                Native API                		1
                DLL Side-Loading                		1
                Exploitation for Privilege Escalation                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		4
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault AccountsScheduled Task/Job2
                Valid Accounts                		1
                Abuse Elevation Control Mechanism                		1
                Deobfuscate/Decode Files or Information                		21
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol1
                Data from Local System                		1
                Encrypted Channel                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		Security Account Manager2
                File and Directory Discovery                		SMB/Windows Admin Shares1
                Email Collection                		4
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
                Valid Accounts                		3
                Obfuscated Files or Information                		NTDS116
                System Information Discovery                		Distributed Component Object Model21
                Input Capture                		4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                Access Token Manipulation                		1
                DLL Side-Loading                		LSA Secrets151
                Security Software Discovery                		SSH3
                Clipboard Data                		Fallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                Process Injection                		2
                Valid Accounts                		Cached Domain Credentials2
                Virtualization/Sandbox Evasion                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
                Virtualization/Sandbox Evasion                		DCSync3
                Process Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
                Access Token Manipulation                		Proc Filesystem11
                Application Window Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
                Process Injection                		/etc/passwd and /etc/shadow1
                System Owner/User Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1608107 Sample: DHL408-23-2025.exe Startdate: 06/02/2025 Architecture: WINDOWS Score: 100 28 www.maplesyrup7.click 2->28 30 www.y6h6kn.top 2->30 32 14 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Antivirus detection for URL or domain 2->44 46 Multi AV Scanner detection for submitted file 2->46 48 4 other signatures 2->48 10 DHL408-23-2025.exe 4 2->10         started        signatures3 process4 signatures5 60 Binary is likely a compiled AutoIt script file 10->60 62 Writes to foreign memory regions 10->62 64 Maps a DLL or memory area into another process 10->64 66 Switches to a custom stack to bypass stack traces 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 26q1gI5vLCf3f.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 unlodctr.exe 13 16->19         started        process10 signatures11 50 Tries to steal Mail credentials (via file / registry access) 19->50 52 Tries to harvest and steal browser information (history, passwords, etc) 19->52 54 Modifies the context of a thread in another process (thread injection) 19->54 56 3 other signatures 19->56 22 26q1gI5vLCf3f.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.maplesyrup7.click 188.114.97.3, 49971, 80 CLOUDFLARENETUS European Union 22->34 36 www.cruycq.info 47.83.1.90, 49984, 49985, 49986 VODANETInternationalIP-BackboneofVodafoneDE United States 22->36 38 7 other IPs or domains 22->38 58 Found direct / indirect Syscall (likely to bypass EDR) 22->58 signatures14

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.