Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
bUrP.exe

Overview

General Information

Sample name:bUrP.exe
Analysis ID:1415997
MD5:8cc1d92a748e389e44e4d2757e0c276f
SHA1:314bf49942c9576ec1e6237985a770a891c91380
SHA256:1e5a837d5e69be8d6e3eb8143e4d96204b5116b5426df20acd769506ab4b3d6f
Tags:exexworm
Infos:

Detection

XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
C2 URLs / IPs found in malware configuration
Machine Learning detection for sample
Sample uses string decryption to hide its real strings
Sigma detected: Potentially Suspicious Malware Callback Communication
Uses dynamic DNS services
Allocates memory with a write watch (potentially for evading sandboxes)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Yara signature match

Classification

Process Tree

  • System is w10x64
  • bUrP.exe (PID: 7576 cmdline: "C:\Users\user\Desktop\bUrP.exe" MD5: 8CC1D92A748E389E44E4D2757E0C276F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["dzn.ddns.net"], "Port": "5552", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V3.1"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
bUrP.exeJoeSecurity_XWormYara detected XWormJoe Security
    bUrP.exeMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x637e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x641b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x6530:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x61ee:$cnc4: POST / HTTP/1.1

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000000.1618143277.0000000000582000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000000.1618143277.0000000000582000.00000002.00000001.01000000.00000003.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x617e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x621b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x6330:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x5fee:$cnc4: POST / HTTP/1.1
      Process Memory Space: bUrP.exe PID: 7576JoeSecurity_XWormYara detected XWormJoe Security

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.0.bUrP.exe.580000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.0.bUrP.exe.580000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x637e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x641b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x6530:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x61ee:$cnc4: POST / HTTP/1.1

          Sigma Signatures

          System Summary

          barindex
          Sigma detected: Potentially Suspicious Malware Callback Communication
          Source: Network ConnectionAuthor: Florian Roth (Nextron Systems): Data: DestinationIp: 191.233.27.50, DestinationIsIpv6: false, DestinationPort: 5552, EventID: 3, Image: C:\Users\user\Desktop\bUrP.exe, Initiated: true, ProcessId: 7576, Protocol: tcp, SourceIp: 192.168.2.4, SourceIsIpv6: false, SourcePort: 49729

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Antivirus / Scanner detection for submitted sample
          Source: bUrP.exeAvira: detected
          Antivirus detection for URL or domain
          Source: dzn.ddns.netAvira URL Cloud: Label: malware
          Found malware configuration
          Source: bUrP.exeMalware Configuration Extractor: Xworm {"C2 url": ["dzn.ddns.net"], "Port": "5552", "Aes key": "<123456789>", "Install file": "USB.exe", "Version": "XWorm V3.1"}
          Multi AV Scanner detection for submitted file
          Source: bUrP.exeReversingLabs: Detection: 76%
          Machine Learning detection for sample
          Source: bUrP.exeJoe Sandbox ML: detected
          Sample uses string decryption to hide its real strings
          Source: bUrP.exeString decryptor: dzn.ddns.net
          Source: bUrP.exeString decryptor: 5552
          Source: bUrP.exeString decryptor: <123456789>
          Source: bUrP.exeString decryptor: <Xwormmm>
          Source: bUrP.exeString decryptor: USB.exe
          Source: bUrP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: bUrP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Networking

          barindex
          C2 URLs / IPs found in malware configuration
          Source: Malware configuration extractorURLs: dzn.ddns.net
          Uses dynamic DNS services
          Source: unknownDNS query: name: dzn.ddns.net
          Source: global trafficTCP traffic: 192.168.2.4:49729 -> 191.233.27.50:5552
          Source: Joe Sandbox ViewASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
          Source: unknownDNS traffic detected: queries for: dzn.ddns.net

          System Summary

          barindex
          Malicious sample detected (through community Yara rule)
          Source: bUrP.exe, type: SAMPLEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 0.0.bUrP.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: 00000000.00000000.1618143277.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
          Source: bUrP.exe, 00000000.00000000.1618157418.000000000058A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameXClient.exe4 vs bUrP.exe
          Source: bUrP.exeBinary or memory string: OriginalFilenameXClient.exe4 vs bUrP.exe
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: mscoree.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: apphelp.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: kernel.appcore.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: version.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: uxtheme.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: cryptsp.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: rsaenh.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: cryptbase.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: sspicli.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: windows.storage.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: wldp.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: profapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: mswsock.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: dnsapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: iphlpapi.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: rasadhlp.dllJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeSection loaded: fwpuclnt.dllJump to behavior
          Source: bUrP.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
          Source: bUrP.exe, type: SAMPLEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 0.0.bUrP.exe.580000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: 00000000.00000000.1618143277.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
          Source: bUrP.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
          Source: bUrP.exe, Helper.csCryptographic APIs: 'TransformFinalBlock'
          Source: bUrP.exe, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
          Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@4/1
          Source: C:\Users\user\Desktop\bUrP.exeMutant created: \Sessions\1\BaseNamedObjects\JD7Bbn5DlVw5Yl4J
          Source: C:\Users\user\Desktop\bUrP.exeMutant created: NULL
          Source: bUrP.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
          Source: bUrP.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
          Source: C:\Users\user\Desktop\bUrP.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: bUrP.exeReversingLabs: Detection: 76%
          Source: bUrP.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
          Source: bUrP.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

          Data Obfuscation

          barindex
          .NET source code contains method to dynamically call methods (often used by packers)
          Source: bUrP.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: bUrP.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Helper.SB(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
          Source: bUrP.exe, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)
          .NET source code contains potential unpacker
          Source: bUrP.exe, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
          Source: bUrP.exe, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
          Source: bUrP.exe, Messages.cs.Net Code: Memory
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeMemory allocated: CB0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeMemory allocated: 1A8E0000 memory reserve | memory write watchJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeWindow / User API: threadDelayed 9727Jump to behavior
          Source: C:\Users\user\Desktop\bUrP.exe TID: 7640Thread sleep count: 234 > 30Jump to behavior
          Source: C:\Users\user\Desktop\bUrP.exe TID: 7640Thread sleep time: -234000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exe TID: 7640Thread sleep count: 9727 > 30Jump to behavior
          Source: C:\Users\user\Desktop\bUrP.exe TID: 7640Thread sleep time: -9727000s >= -30000sJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
          Source: bUrP.exe, 00000000.00000002.4066689460.0000000000B16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllz
          Source: C:\Users\user\Desktop\bUrP.exeProcess token adjusted: DebugJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeMemory allocated: page read and write | page guardJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeQueries volume information: C:\Users\user\Desktop\bUrP.exe VolumeInformationJump to behavior
          Source: C:\Users\user\Desktop\bUrP.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

          Stealing of Sensitive Information

          barindex
          Yara detected XWorm
          Source: Yara matchFile source: bUrP.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.bUrP.exe.580000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1618143277.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: bUrP.exe PID: 7576, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected XWorm
          Source: Yara matchFile source: bUrP.exe, type: SAMPLE
          Source: Yara matchFile source: 0.0.bUrP.exe.580000.0.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 00000000.00000000.1618143277.0000000000582000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: bUrP.exe PID: 7576, type: MEMORYSTR

          Mitre Att&ck Matrix

          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
          Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
          DLL Side-Loading          		1
          DLL Side-Loading          		2
          Virtualization/Sandbox Evasion          		OS Credential Dumping1
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		1
          Non-Standard Port          		Exfiltration Over Other Network MediumAbuse Accessibility Features
          CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
          Disable or Modify Tools          		LSASS Memory2
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable Media1
          Non-Application Layer Protocol          		Exfiltration Over BluetoothNetwork Denial of Service
          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
          Software Packing          		Security Account Manager1
          Application Window Discovery          		SMB/Windows Admin SharesData from Network Shared Drive21
          Application Layer Protocol          		Automated ExfiltrationData Encrypted for Impact
          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
          Deobfuscate/Decode Files or Information          		NTDS13
          System Information Discovery          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
          DLL Side-Loading          		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          bUrP.exe76%ReversingLabsByteCode-MSIL.Trojan.XWorm
          bUrP.exe100%AviraHEUR/AGEN.1305769
          bUrP.exe100%Joe Sandbox ML

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          dzn.ddns.net100%Avira URL Cloudmalware

          Domains and IPs

          Contacted Domains

          NameIPActiveMaliciousAntivirus DetectionReputation
          dzn.ddns.net
          		191.233.27.50
          		truetrue
            		unknown

            Contacted URLs

            NameMaliciousAntivirus DetectionReputation
            dzn.ddns.nettrue
            • Avira URL Cloud: malware
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            191.233.27.50
            		dzn.ddns.netBrazil
            		8075MICROSOFT-CORP-MSN-AS-BLOCKUStrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1415997
            Start date and time:2024-03-26 18:08:07 +01:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 5m 58s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:5
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:bUrP.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@1/0@4/1
            EGA Information:Failed
            HCA Information:
            • Successful, ratio: 95%
            • Number of executed functions: 18
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Execution Graph export aborted for target bUrP.exe, PID 7576 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: bUrP.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:09:02API Interceptor14618199x Sleep call for process: bUrP.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            191.233.27.50m6ynVs5wGI.exeGet hashmaliciousNjratBrowse
              bTcO.exeGet hashmaliciousXWormBrowse

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                dzn.ddns.netm6ynVs5wGI.exeGet hashmaliciousNjratBrowse
                • 191.233.27.50
                bTcO.exeGet hashmaliciousXWormBrowse
                • 191.233.27.50

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                MICROSOFT-CORP-MSN-AS-BLOCKUShttps://url.us.m.mimecastprotect.com/s/kyINCpYnk3FnPVPtPeQKH?domain=gcv.microsoft.usGet hashmaliciousHTMLPhisherBrowse
                • 52.127.240.65
                re-march-26-2024-6488.xlsxGet hashmaliciousMAC StealerBrowse
                • 13.107.213.40
                https://38374993729929473939lk-us.de/202444/fresh2024link/schwab.com-fresh-RD588-user-ph-em(detail)/index.htmlGet hashmaliciousUnknownBrowse
                • 13.107.42.14
                https://new.express.adobe.com/webpage/sAiKE1YBfM7xeGet hashmaliciousHTMLPhisherBrowse
                • 52.96.88.2
                https://escwatersealuae-my.sharepoint.com/:b:/g/personal/coordinatorauh_watersealuae_com/EUgMEq3xHjpEtricc4GzY_gBScerXYXlOg6GhA2k7ick4g?e=1LFXqhGet hashmaliciousUnknownBrowse
                • 13.107.136.10
                https://usg02.safelinks.protection.office365.us/?url=https%3A%2F%2Frossdalecleprograms.bmailroute.net%2Fx%2Fd%3Fc%3D39280181%26l%3D2f3213c2-4b78-4245-ab7bec24c74da0c0%26r%3D6593b189-4eca-4deb-8017-9f09300903c0&data=05%7C02%7CMark.Shepherd%40dor.sc.gov%7C4d280c12a17e423dc1b008dc4da56570%7C304cb6fa07ed486cb7cb51ca42640e73%7C0%7C0%7C638470619979088564%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=iMmAqOqmUMgTXGPrjGJOgVW0iSy5fYzL5znUj%2FmTu2o%3D&reserved=0Get hashmaliciousHTMLPhisherBrowse
                • 23.103.209.28
                Quarantined Messages.zipGet hashmaliciousHTMLPhisherBrowse
                • 52.109.6.63
                https://1drv.ms/o/s!BFRjM-vQxGYFhElDOX-pd0RkvatP?e=Rp2e0wqCfEOklCep72qfVw&at=9&d=DwMFAwGet hashmaliciousHtmlDropper, HTMLPhisherBrowse
                • 13.107.42.12
                sample.docGet hashmaliciousUnknownBrowse
                • 104.46.162.227
                https://app4aid.comGet hashmaliciousHtmlDropperBrowse
                • 13.107.246.40

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                Entropy (8bit):5.594082671287542
                TrID:
                • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                • Win32 Executable (generic) a (10002005/4) 49.75%
                • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                • Windows Screen Saver (13104/52) 0.07%
                • Generic Win/DOS Executable (2004/3) 0.01%
                File name:bUrP.exe
                File size:30'720 bytes
                MD5:8cc1d92a748e389e44e4d2757e0c276f
                SHA1:314bf49942c9576ec1e6237985a770a891c91380
                SHA256:1e5a837d5e69be8d6e3eb8143e4d96204b5116b5426df20acd769506ab4b3d6f
                SHA512:2ed1c85585eac3b60daa2ed0542dac8215779cdd2f63ff6f19a1b35be0337b3620acc2ce7476d4a6c890ea228c69b2d849fb197dd7d7c7aa70329516a7a3cdb3
                SSDEEP:768:Pecbl/b37gMYAoRFNU2uBFE9RROqhobr:Wcx6NU24FE9RROqOf
                TLSH:9DD24C483BE84327D6FE2FF229B2910102759507D923EF5F5CD885ABAF67B8146013E6
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....].e.................n............... ........@.. ....................................@................................

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0x408dee
                Entrypoint Section:.text
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Time Stamp:0x65DD5D19 [Tue Feb 27 03:55:05 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:4
                OS Version Minor:0
                File Version Major:4
                File Version Minor:0
                Subsystem Version Major:4
                Subsystem Version Minor:0
                Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                Entrypoint Preview

                Instruction
                jmp dword ptr [00402000h]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x8d9c0x4f.text
                IMAGE_DIRECTORY_ENTRY_RESOURCE0xa0000x4d8.rsrc
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0xc0000xc.reloc
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                .text0x20000x6df40x6e00e39b52c093b517307be99d2a61f31366False0.5041193181818182data5.759196372207289IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                .rsrc0xa0000x4d80x600afbb984503128042cc38bf70e5e337f4False0.375data3.7203482473352403IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                .reloc0xc0000xc0x200026603c255b46d30f672aaf50e95a5c1False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                Resources

                NameRVASizeTypeLanguageCountryZLIB Complexity
                RT_VERSION0xa0a00x244data0.4724137931034483
                RT_MANIFEST0xa2e80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5469387755102041

                Imports

                DLLImport
                mscoree.dll_CorExeMain

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Mar 26, 2024 18:09:01.101902962 CET497295552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:01.320398092 CET555249729191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:01.822320938 CET497295552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:02.041184902 CET555249729191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:02.556736946 CET497295552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:02.776515007 CET555249729191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:03.291141987 CET497295552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:03.510658026 CET555249729191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:04.025466919 CET497295552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:04.244297028 CET555249729191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:04.371257067 CET497305552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:04.592288971 CET555249730191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:05.103583097 CET497305552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:05.323235989 CET555249730191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:05.837939978 CET497305552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:06.058032036 CET555249730191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:06.572362900 CET497305552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:06.791831017 CET555249730191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:07.306749105 CET497305552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:07.526420116 CET555249730191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:12.292799950 CET497345552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:12.512335062 CET555249734191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:13.025433064 CET497345552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:13.244421959 CET555249734191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:13.759835005 CET497345552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:13.981095076 CET555249734191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:14.494210958 CET497345552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:14.713227034 CET555249734191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:15.228651047 CET497345552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:15.447365046 CET555249734191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:15.558700085 CET497385552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:15.778608084 CET555249738191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:16.291189909 CET497385552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:16.511068106 CET555249738191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:17.025531054 CET497385552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:17.245429039 CET555249738191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:17.759834051 CET497385552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:17.979770899 CET555249738191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:18.494244099 CET497385552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:18.714088917 CET555249738191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:18.823781967 CET497395552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:19.042258024 CET555249739191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:19.556811094 CET497395552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:19.777168989 CET555249739191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:20.291250944 CET497395552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:20.510409117 CET555249739191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:21.025554895 CET497395552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:21.243920088 CET555249739191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:21.744193077 CET497395552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:21.964894056 CET555249739191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:22.073951006 CET497405552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:22.293457031 CET555249740191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:22.806720018 CET497405552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:23.026546955 CET555249740191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:23.541079044 CET497405552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:23.760929108 CET555249740191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:24.275492907 CET497405552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:24.495218992 CET555249740191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:25.009851933 CET497405552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:25.229496956 CET555249740191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:25.339770079 CET497415552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:25.559264898 CET555249741191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:26.072344065 CET497415552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:26.293791056 CET555249741191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:26.806684971 CET497415552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:27.026213884 CET555249741191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:27.541177988 CET497415552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:27.760757923 CET555249741191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:28.291129112 CET497415552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:28.510536909 CET555249741191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:28.653320074 CET497425552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:28.872128963 CET555249742191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:29.384799957 CET497425552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:29.609244108 CET555249742191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:30.119339943 CET497425552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:30.337908030 CET555249742191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:30.838012934 CET497425552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:31.056710005 CET555249742191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:31.556794882 CET497425552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:31.775580883 CET555249742191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:31.886292934 CET497435552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:32.105530024 CET555249743191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:32.619292021 CET497435552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:32.837567091 CET555249743191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:33.337923050 CET497435552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:33.556174040 CET555249743191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:34.072483063 CET497435552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:34.291096926 CET555249743191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:34.806755066 CET497435552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:35.025259018 CET555249743191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:35.136106968 CET497445552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:35.355108023 CET555249744191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:35.869190931 CET497445552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:36.088895082 CET555249744191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:36.603626013 CET497445552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:36.822774887 CET555249744191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:37.338030100 CET497445552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:37.557504892 CET555249744191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:38.072520018 CET497445552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:38.291678905 CET555249744191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:38.403753042 CET497455552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:38.623858929 CET555249745191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:39.134820938 CET497455552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:39.354607105 CET555249745191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:39.869302988 CET497455552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:40.089165926 CET555249745191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:40.603672981 CET497455552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:40.823544025 CET555249745191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:41.338140011 CET497455552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:41.557755947 CET555249745191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:41.667375088 CET497465552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:41.886140108 CET555249746191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:42.400521994 CET497465552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:42.619257927 CET555249746191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:43.134783983 CET497465552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:43.355439901 CET555249746191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:43.869364977 CET497465552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:44.088638067 CET555249746191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:44.603566885 CET497465552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:44.822062016 CET555249746191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:45.104769945 CET497475552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:45.325185061 CET555249747191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:45.838006020 CET497475552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:46.058892012 CET555249747191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:46.572300911 CET497475552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:46.793095112 CET555249747191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:47.306669950 CET497475552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:47.527290106 CET555249747191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:48.041059017 CET497475552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:48.261785030 CET555249747191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:48.370248079 CET497485552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:48.589576960 CET555249748191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:49.103596926 CET497485552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:49.322859049 CET555249748191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:49.838027954 CET497485552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:50.058042049 CET555249748191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:50.572329998 CET497485552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:50.792180061 CET555249748191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:51.306680918 CET497485552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:51.526130915 CET555249748191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:51.636296988 CET497505552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:51.855850935 CET555249750191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:52.369204044 CET497505552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:52.588785887 CET555249750191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:53.103542089 CET497505552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:53.323287964 CET555249750191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:53.837917089 CET497505552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:54.057657003 CET555249750191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:54.572329044 CET497505552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:54.792074919 CET555249750191.233.27.50192.168.2.4
                Mar 26, 2024 18:09:59.558325052 CET497515552192.168.2.4191.233.27.50
                Mar 26, 2024 18:09:59.777532101 CET555249751191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:00.291224957 CET497515552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:00.510529995 CET555249751191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:01.025393963 CET497515552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:01.244479895 CET555249751191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:01.759794950 CET497515552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:01.978837013 CET555249751191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:02.494139910 CET497515552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:02.713267088 CET555249751191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:07.707500935 CET497525552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:07.926103115 CET555249752191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:08.431641102 CET497525552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:08.650285959 CET555249752191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:09.150396109 CET497525552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:09.369472027 CET555249752191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:09.884773970 CET497525552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:10.103745937 CET555249752191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:10.619152069 CET497525552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:10.837901115 CET555249752191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:10.949238062 CET497535552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:11.169398069 CET555249753191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:11.682909012 CET497535552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:11.902642012 CET555249753191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:12.416018963 CET497535552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:12.637120008 CET555249753191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:13.150566101 CET497535552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:13.370549917 CET555249753191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:13.884932995 CET497535552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:14.104585886 CET555249753191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:14.216944933 CET497545552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:14.435832977 CET555249754191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:14.947267056 CET497545552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:15.168715954 CET555249754191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:15.682918072 CET497545552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:15.901765108 CET555249754191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:16.416042089 CET497545552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:16.635719061 CET555249754191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:17.150404930 CET497545552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:17.369636059 CET555249754191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:17.481345892 CET497555552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:17.701256037 CET555249755191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:18.212915897 CET497555552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:18.432857037 CET555249755191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:18.978518009 CET497555552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:19.198820114 CET555249755191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:19.869220018 CET497555552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:20.089232922 CET555249755191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:20.681651115 CET497555552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:20.901901007 CET555249755191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:21.066612005 CET497565552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:21.286537886 CET555249756191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:21.791115999 CET497565552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:22.011394024 CET555249756191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:22.603545904 CET497565552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:22.823302031 CET555249756191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:23.400958061 CET497565552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:23.622412920 CET555249756191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:24.293699026 CET497565552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:24.515208006 CET555249756191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:29.421123981 CET497575552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:29.642024994 CET555249757191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:30.181696892 CET497575552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:30.401957035 CET555249757191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:31.013963938 CET497575552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:31.234184027 CET555249757191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:31.869157076 CET497575552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:32.089230061 CET555249757191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:32.681634903 CET497575552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:32.901856899 CET555249757191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:37.011789083 CET497585552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:37.231172085 CET555249758191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:37.869249105 CET497585552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:38.088525057 CET555249758191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:38.681639910 CET497585552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:38.901276112 CET555249758191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:39.481251001 CET497585552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:39.700578928 CET555249758191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:40.369142056 CET497585552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:40.588563919 CET555249758191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:40.700691938 CET497595552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:40.919013977 CET555249759191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:41.589066029 CET497595552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:41.807414055 CET555249759191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:42.400374889 CET497595552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:42.618887901 CET555249759191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:43.197267056 CET497595552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:43.415627956 CET555249759191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:44.088874102 CET497595552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:44.307265043 CET555249759191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:44.418982029 CET497605552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:44.638159990 CET555249760191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:45.197253942 CET497605552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:45.416891098 CET555249760191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:45.934880018 CET497605552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:46.154329062 CET555249760191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:46.666003942 CET497605552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:46.885471106 CET555249760191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:47.400381088 CET497605552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:47.620138884 CET555249760191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:47.730874062 CET497615552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:47.954552889 CET555249761191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:48.463278055 CET497615552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:48.683850050 CET555249761191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:49.341864109 CET497615552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:49.562743902 CET555249761191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:50.182873011 CET497615552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:50.403580904 CET555249761191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:50.931886911 CET497615552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:51.152467012 CET555249761191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:51.261717081 CET497625552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:51.480923891 CET555249762191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:52.090948105 CET497625552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:52.309988022 CET555249762191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:52.932832003 CET497625552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:53.152337074 CET555249762191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:53.778866053 CET497625552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:53.998127937 CET555249762191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:54.580745935 CET497625552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:54.799839020 CET555249762191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:54.905232906 CET497635552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:55.124190092 CET555249763191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:55.634767056 CET497635552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:55.854310989 CET555249763191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:56.370968103 CET497635552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:56.589941978 CET555249763191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:57.291006088 CET497635552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:57.510098934 CET555249763191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:58.166001081 CET497635552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:58.385296106 CET555249763191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:58.501384020 CET497645552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:58.720890999 CET555249764191.233.27.50192.168.2.4
                Mar 26, 2024 18:10:59.384749889 CET497645552192.168.2.4191.233.27.50
                Mar 26, 2024 18:10:59.604211092 CET555249764191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:00.145049095 CET497645552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:00.364175081 CET555249764191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:00.869129896 CET497645552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:01.088828087 CET555249764191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:01.590611935 CET497645552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:01.810199022 CET555249764191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:05.266889095 CET497655552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:05.491573095 CET555249765191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:05.994127989 CET497655552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:06.213393927 CET555249765191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:06.728544950 CET497655552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:06.948051929 CET555249765191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:07.462868929 CET497655552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:07.682269096 CET555249765191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:08.197232962 CET497655552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:08.416731119 CET555249765191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:08.630868912 CET497665552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:08.850327969 CET555249766191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:09.354851007 CET497665552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:09.574501038 CET555249766191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:10.098383904 CET497665552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:10.317806005 CET555249766191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:10.822343111 CET497665552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:11.041742086 CET555249766191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:11.556607962 CET497665552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:11.776400089 CET555249766191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:15.596540928 CET497675552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:15.814891100 CET555249767191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:16.380819082 CET497675552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:16.599181890 CET555249767191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:17.212963104 CET497675552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:17.434714079 CET555249767191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:17.950649023 CET497675552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:18.169775963 CET555249767191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:18.697231054 CET497675552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:18.915668011 CET555249767191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:19.011188030 CET497685552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:19.231265068 CET555249768191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:19.744118929 CET497685552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:19.963092089 CET555249768191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:20.480937004 CET497685552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:20.700285912 CET555249768191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:21.213748932 CET497685552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:21.432621956 CET555249768191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:21.947237968 CET497685552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:22.166445971 CET555249768191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:26.293474913 CET497695552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:26.513643980 CET555249769191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:27.216850996 CET497695552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:27.436870098 CET555249769191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:28.009752035 CET497695552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:28.232522011 CET555249769191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:28.809462070 CET497695552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:29.029620886 CET555249769191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:29.620385885 CET497695552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:29.841167927 CET555249769191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:29.933883905 CET497705552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:30.152820110 CET555249770191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:30.669322014 CET497705552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:30.888155937 CET555249770191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:31.400995016 CET497705552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:31.619739056 CET555249770191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:32.212862015 CET497705552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:32.431662083 CET555249770191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:33.009807110 CET497705552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:33.228863001 CET555249770191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:37.277318954 CET497715552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:37.496731997 CET555249771191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:38.009716988 CET497715552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:38.233405113 CET555249771191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:38.745811939 CET497715552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:38.965147018 CET555249771191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:39.481486082 CET497715552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:39.700645924 CET555249771191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:40.212847948 CET497715552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:40.432461977 CET555249771191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:40.512366056 CET497725552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:40.731183052 CET555249772191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:41.401896954 CET497725552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:41.621007919 CET555249772191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:42.243338108 CET497725552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:42.462451935 CET555249772191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:43.012948990 CET497725552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:43.232136011 CET555249772191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:43.782217026 CET497725552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:44.001298904 CET555249772191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:44.074074030 CET497735552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:44.291625023 CET555249773191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:44.806900024 CET497735552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:45.024691105 CET555249773191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:45.525369883 CET497735552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:45.742994070 CET555249773191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:46.244087934 CET497735552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:46.461921930 CET555249773191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:46.962862968 CET497735552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:47.180506945 CET555249773191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:49.731906891 CET497745552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:49.953681946 CET555249774191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:50.478468895 CET497745552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:50.698621035 CET555249774191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:51.230813980 CET497745552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:51.450841904 CET555249774191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:51.978576899 CET497745552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:52.198637962 CET555249774191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:52.744106054 CET497745552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:52.964072943 CET555249774191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:53.028697014 CET497755552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:53.248629093 CET555249775191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:53.806588888 CET497755552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:54.028309107 CET555249775191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:54.641902924 CET497755552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:54.861349106 CET555249775191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:55.437689066 CET497755552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:55.657505035 CET555249775191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:56.197379112 CET497755552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:56.417162895 CET555249775191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:56.480829000 CET497765552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:56.699738026 CET555249776191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:57.239119053 CET497765552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:57.458525896 CET555249776191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:58.009723902 CET497765552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:58.228836060 CET555249776191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:58.737344027 CET497765552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:58.956588030 CET555249776191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:59.545212984 CET497765552192.168.2.4191.233.27.50
                Mar 26, 2024 18:11:59.769471884 CET555249776191.233.27.50192.168.2.4
                Mar 26, 2024 18:11:59.842797995 CET497775552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:00.061777115 CET555249777191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:00.744079113 CET497775552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:00.962933064 CET555249777191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:01.540963888 CET497775552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:01.759639025 CET555249777191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:02.431613922 CET497775552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:02.650391102 CET555249777191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:03.244080067 CET497775552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:03.462568998 CET555249777191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:03.527895927 CET497785552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:03.746861935 CET555249778191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:04.337852001 CET497785552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:04.557426929 CET555249778191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:05.228468895 CET497785552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:05.447571993 CET555249778191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:06.040957928 CET497785552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:06.260471106 CET555249778191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:06.837847948 CET497785552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:07.057024956 CET555249778191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:07.121375084 CET497795552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:07.340044975 CET555249779191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:08.009788990 CET497795552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:08.228343010 CET555249779191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:08.802654982 CET497795552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:09.022025108 CET555249779191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:09.603511095 CET497795552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:09.822346926 CET555249779191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:10.400373936 CET497795552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:10.619280100 CET555249779191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:13.313118935 CET497805552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:13.531744957 CET555249780191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:14.134710073 CET497805552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:14.353442907 CET555249780191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:14.931576967 CET497805552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:15.150542021 CET555249780191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:15.822262049 CET497805552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:16.040751934 CET555249780191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:16.634706020 CET497805552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:16.853343964 CET555249780191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:16.918567896 CET497815552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:17.137270927 CET555249781191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:17.650782108 CET497815552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:17.869066000 CET555249781191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:18.386785030 CET497815552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:18.604979038 CET555249781191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:19.119090080 CET497815552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:19.337390900 CET555249781191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:19.837835073 CET497815552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:20.056720018 CET555249781191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:20.121872902 CET497825552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:20.340624094 CET555249782191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:20.853446960 CET497825552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:21.072333097 CET555249782191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:21.572196960 CET497825552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:21.791115999 CET555249782191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:22.310769081 CET497825552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:22.529403925 CET555249782191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:23.040952921 CET497825552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:23.259746075 CET555249782191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:25.340228081 CET497835552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:25.560631037 CET555249783191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:26.073088884 CET497835552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:26.293137074 CET555249783191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:26.806591988 CET497835552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:27.029489994 CET555249783191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:27.540941954 CET497835552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:27.768274069 CET555249783191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:28.278768063 CET497835552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:28.499200106 CET555249783191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:28.562772989 CET497845552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:28.781596899 CET555249784191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:29.287061930 CET497845552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:29.506246090 CET555249784191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:30.009706020 CET497845552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:30.228449106 CET555249784191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:30.744091034 CET497845552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:30.963126898 CET555249784191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:31.478456974 CET497845552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:31.697726965 CET555249784191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:31.746148109 CET497855552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:31.964449883 CET555249785191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:32.481375933 CET497855552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:32.699629068 CET555249785191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:33.212821960 CET497855552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:33.431365013 CET555249785191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:33.948951960 CET497855552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:34.167144060 CET555249785191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:34.681566000 CET497855552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:34.900518894 CET555249785191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:34.948966980 CET497865552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:35.168905973 CET555249786191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:35.681582928 CET497865552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:35.901917934 CET555249786191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:36.415945053 CET497865552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:36.636353016 CET555249786191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:37.150312901 CET497865552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:37.371228933 CET555249786191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:37.884824991 CET497865552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:38.104891062 CET555249786191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:39.793180943 CET497875552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:40.012317896 CET555249787191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:40.526752949 CET497875552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:40.745287895 CET555249787191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:41.257265091 CET497875552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:41.475848913 CET555249787191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:41.978755951 CET497875552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:42.197508097 CET555249787191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:42.712824106 CET497875552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:42.931492090 CET555249787191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:45.138762951 CET497885552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:45.357358932 CET555249788191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:45.869066000 CET497885552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:46.087682962 CET555249788191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:46.686753988 CET497885552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:46.905905008 CET555249788191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:47.478538036 CET497885552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:47.699464083 CET555249788191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:48.275312901 CET497885552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:48.494000912 CET555249788191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:48.527096033 CET497895552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:48.746474981 CET555249789191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:49.324976921 CET497895552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:49.544322968 CET555249789191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:50.113482952 CET497895552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:50.332906008 CET555249789191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:50.838747025 CET497895552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:51.058235884 CET555249789191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:51.634722948 CET497895552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:51.854055882 CET555249789191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:51.902276039 CET497905552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:52.120868921 CET555249790191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:52.627435923 CET497905552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:52.846256971 CET555249790191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:53.354743958 CET497905552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:53.573729038 CET555249790191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:54.076865911 CET497905552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:54.298032999 CET555249790191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:54.806746960 CET497905552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:55.025701046 CET555249790191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:55.074754000 CET497915552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:55.294683933 CET555249791191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:55.806705952 CET497915552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:56.027324915 CET555249791191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:56.540951014 CET497915552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:56.760869026 CET555249791191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:57.278744936 CET497915552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:57.498646975 CET555249791191.233.27.50192.168.2.4
                Mar 26, 2024 18:12:58.009717941 CET497915552192.168.2.4191.233.27.50
                Mar 26, 2024 18:12:58.230659962 CET555249791191.233.27.50192.168.2.4

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Mar 26, 2024 18:09:00.996186972 CET5188153192.168.2.41.1.1.1
                Mar 26, 2024 18:09:01.094980001 CET53518811.1.1.1192.168.2.4
                Mar 26, 2024 18:10:07.605846882 CET6510253192.168.2.41.1.1.1
                Mar 26, 2024 18:10:07.704265118 CET53651021.1.1.1192.168.2.4
                Mar 26, 2024 18:11:08.527663946 CET5566853192.168.2.41.1.1.1
                Mar 26, 2024 18:11:08.624799013 CET53556681.1.1.1192.168.2.4
                Mar 26, 2024 18:12:13.215584040 CET5603153192.168.2.41.1.1.1
                Mar 26, 2024 18:12:13.312345982 CET53560311.1.1.1192.168.2.4

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                Mar 26, 2024 18:09:00.996186972 CET192.168.2.41.1.1.10xdbe1Standard query (0)dzn.ddns.netA (IP address)IN (0x0001)false
                Mar 26, 2024 18:10:07.605846882 CET192.168.2.41.1.1.10x5b08Standard query (0)dzn.ddns.netA (IP address)IN (0x0001)false
                Mar 26, 2024 18:11:08.527663946 CET192.168.2.41.1.1.10xd1b0Standard query (0)dzn.ddns.netA (IP address)IN (0x0001)false
                Mar 26, 2024 18:12:13.215584040 CET192.168.2.41.1.1.10xa6c9Standard query (0)dzn.ddns.netA (IP address)IN (0x0001)false

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                Mar 26, 2024 18:09:01.094980001 CET1.1.1.1192.168.2.40xdbe1No error (0)dzn.ddns.net191.233.27.50A (IP address)IN (0x0001)false
                Mar 26, 2024 18:10:07.704265118 CET1.1.1.1192.168.2.40x5b08No error (0)dzn.ddns.net191.233.27.50A (IP address)IN (0x0001)false
                Mar 26, 2024 18:11:08.624799013 CET1.1.1.1192.168.2.40xd1b0No error (0)dzn.ddns.net191.233.27.50A (IP address)IN (0x0001)false
                Mar 26, 2024 18:12:13.312345982 CET1.1.1.1192.168.2.40xa6c9No error (0)dzn.ddns.net191.233.27.50A (IP address)IN (0x0001)false

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:15:08:51
                Start date:26/03/2024
                Path:C:\Users\user\Desktop\bUrP.exe
                Wow64 process (32bit):false
                Commandline:"C:\Users\user\Desktop\bUrP.exe"
                Imagebase:0x580000
                File size:30'720 bytes
                MD5 hash:8CC1D92A748E389E44E4D2757E0C276F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000000.1618143277.0000000000582000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000000.1618143277.0000000000582000.00000002.00000001.01000000.00000003.sdmp, Author: ditekSHen
                Reputation:low
                Has exited:false

                Disassembly

                Reset < >

                  Executed Functions

                  Function 00007FFD9B881884 Relevance: .3, Instructions: 280COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 99591b797581748355f50fb51bb72057e8d33ca5ab1fd3e6c2415f8663c31404
                  • Instruction ID: 41a3200fa045b17016bd3c44bd559f937d9126aff8710d6de425b824b9c02acd
                  • Opcode Fuzzy Hash: 99591b797581748355f50fb51bb72057e8d33ca5ab1fd3e6c2415f8663c31404
                  • Instruction Fuzzy Hash: 66919820F1DE8A4FE759A73848756A87BD1EF9D340F5401BAD09AC32E7EE7C68028351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880700 Relevance: .3, Instructions: 257COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f79385bbf6f9ade6de386981d7d99fd7b8bc7ef074199c0874dff4744754e1fa
                  • Instruction ID: ec29270731077d1a8ecce6b904a6e21706739a6062864b01296998ced276b358
                  • Opcode Fuzzy Hash: f79385bbf6f9ade6de386981d7d99fd7b8bc7ef074199c0874dff4744754e1fa
                  • Instruction Fuzzy Hash: 7E713661F19D4D4FEBA8EB2894696B977D2EF9C340F54007DE01ED32D6EE7869028381
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880915 Relevance: .2, Instructions: 204COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 5ed8dd08e667b183a0dd77729373587a87eb0a9ce9493d7e19a7bdaab4ebbeaa
                  • Instruction ID: fdcb1a96b91c26e5c43e8b3d212c91aeaf3aae92d8be023d68623bc6ec2f8cf0
                  • Opcode Fuzzy Hash: 5ed8dd08e667b183a0dd77729373587a87eb0a9ce9493d7e19a7bdaab4ebbeaa
                  • Instruction Fuzzy Hash: 46511621B2AD4E4FD798A77858796BC7BA1EF98204B8005BDE06EC31D7EE3C69058351
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880F3E Relevance: .2, Instructions: 195COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 30b6dcff0bc68a287f6303cb198392d6c95b7e26ab7cc2ce7113f2ca798f90a9
                  • Instruction ID: c8a71535399cc0fc03903512cca08dc52b8aa82ee3195bdf9ed95c8a0b50151f
                  • Opcode Fuzzy Hash: 30b6dcff0bc68a287f6303cb198392d6c95b7e26ab7cc2ce7113f2ca798f90a9
                  • Instruction Fuzzy Hash: 86516D21B1EA890FE396B73858669793BD1DF8A214B0940FAD49DC71E7DD1C9C428352
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880708 Relevance: .2, Instructions: 168COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 6c1b64884f392c2b6de951dcb174f5e6ae51690bacc22b7a4ce4c65aa8466f0a
                  • Instruction ID: 9eeec9679671319304b724afe4a72742968ffe1c82ee7ea209da76537446f99b
                  • Opcode Fuzzy Hash: 6c1b64884f392c2b6de951dcb174f5e6ae51690bacc22b7a4ce4c65aa8466f0a
                  • Instruction Fuzzy Hash: 0051B070A0891DCFEB69FB68E469AF977E0EF58315F04017ED04EC3292DB74A8428B51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880B2A Relevance: .2, Instructions: 158COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 322aa0a5edf3b6be406cc2276ea7b97a8ce23def479bfc4adc8d6127dd33ba4a
                  • Instruction ID: fda963e6d36fbb4154a2e3eeda0df992b9b874e09af42deb866fece21b41658c
                  • Opcode Fuzzy Hash: 322aa0a5edf3b6be406cc2276ea7b97a8ce23def479bfc4adc8d6127dd33ba4a
                  • Instruction Fuzzy Hash: FE412721B1DA890FE788AB7C98256787BD2EF89614B0901FFE05DC72E7DD289C028341
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B881640 Relevance: .2, Instructions: 153COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d54fc2b86327e656ed4b34b5438fb8ad9a444582efdbb18358d248775b5e8b0a
                  • Instruction ID: 05d41a8a1f38c381fcc85443aea7042af678e56d6cd038a0a74f22d3722f37b5
                  • Opcode Fuzzy Hash: d54fc2b86327e656ed4b34b5438fb8ad9a444582efdbb18358d248775b5e8b0a
                  • Instruction Fuzzy Hash: CA41A474A09A4DCFDB68EB68D455BA977F0FF59311F00016ED049C32A1DB75A841CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880750 Relevance: .1, Instructions: 140COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9c067bd3faf8496a8562b9796873380f321733c75097a5b48ea0f034eab00a4c
                  • Instruction ID: 21cff5d7403ffbc395c1606c826c3e40c8c6dfc54be79807df9eb821b6240ebb
                  • Opcode Fuzzy Hash: 9c067bd3faf8496a8562b9796873380f321733c75097a5b48ea0f034eab00a4c
                  • Instruction Fuzzy Hash: D5417C74A09A1DCFEBA8EF68D459BB977E0FB58311F00016ED00AD32A1DB75A841CB51
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B8804C8 Relevance: .1, Instructions: 134COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1e5050658ce24c5f60a0ac12045c80bd7fb55a9e631a91e15bfecca3f5f76aa3
                  • Instruction ID: d23cdcebf1ec47ade6e6dfa234693e6fff8ea0bc19752a1459f6f8f4f8f59388
                  • Opcode Fuzzy Hash: 1e5050658ce24c5f60a0ac12045c80bd7fb55a9e631a91e15bfecca3f5f76aa3
                  • Instruction Fuzzy Hash: 7E31F721B189484FE798EB6C9869A7976C2EFDC715F0505BEE05EC32E7DD24AC418341
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880C91 Relevance: .1, Instructions: 122COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ad8460a3716af2c4eb2fc3e68c1c3857e5b00a3ca617ca3b13fcf343e720b8b3
                  • Instruction ID: 9a8bdbe36c20a285aca0e21e2f0577dc2b4c8a6eb35826e7fa593be7e7b338af
                  • Opcode Fuzzy Hash: ad8460a3716af2c4eb2fc3e68c1c3857e5b00a3ca617ca3b13fcf343e720b8b3
                  • Instruction Fuzzy Hash: 0041D374A19A4D8FDB58EBB898616BDBBB1FF88300F4004BAD019D32D7DE38A9458750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880DD9 Relevance: .1, Instructions: 121COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9949d611840d42321c68033e302f6378ad7236197aaae53e32db9285bdbccea7
                  • Instruction ID: d79b4d430d1559565bdc0efda05211dc42ab551963bebce808dd9cd91573b31f
                  • Opcode Fuzzy Hash: 9949d611840d42321c68033e302f6378ad7236197aaae53e32db9285bdbccea7
                  • Instruction Fuzzy Hash: DD31B461B1990A4FEB99BBB858697BD76D1EF98700F0402B7E02DC32D6DE28AD414391
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B88146D Relevance: .1, Instructions: 85COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4304715a4d463318763046584369cb71895be45d0ec466816fd2aa813f048482
                  • Instruction ID: a76e11a088ff436cf0668f94497813b8b12888560abf7f50bb09139e9d7c59a9
                  • Opcode Fuzzy Hash: 4304715a4d463318763046584369cb71895be45d0ec466816fd2aa813f048482
                  • Instruction Fuzzy Hash: 74214C61A0E94A8FE724EBA4C8619B077D0EF9D354F0944B9C01DCB1E3EE3CA4428750
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B8813B5 Relevance: .1, Instructions: 67COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: f1e001d2352ec959c24c0b1afe07d0d6e49b1731fced98173356a6dce0ccaf8c
                  • Instruction ID: ace289223d1782a3e2288f4b8b85376fa45179b7485384b4f56c8d4856a03013
                  • Opcode Fuzzy Hash: f1e001d2352ec959c24c0b1afe07d0d6e49b1731fced98173356a6dce0ccaf8c
                  • Instruction Fuzzy Hash: 3511F620F1EA4A8BF774B7B448365B83292AF99314F660079D02DC71E3DE3DA9028381
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B881281 Relevance: .1, Instructions: 63COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a243d18d23b23de0f2ccc85df06725dce12ebc938f74591f22b6da56dcfa8774
                  • Instruction ID: dadccafe90cf36e88857141336c215c3019a19bf3609d17a4e66001956f6ad42
                  • Opcode Fuzzy Hash: a243d18d23b23de0f2ccc85df06725dce12ebc938f74591f22b6da56dcfa8774
                  • Instruction Fuzzy Hash: A1110AB1E08A8D8FD79DDB2894A92B97FE1EBE9300F8400AFD459D71D2EF7815058311
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B881339 Relevance: .0, Instructions: 44COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: df9ef9ec50f85cf037f6f6f6eaf5334021811e1beefc7231caebc90920dad6bf
                  • Instruction ID: 1e8fedf1a2bdb68ca98ba7894029706cce3152d095642ac681c208b26274bdf5
                  • Opcode Fuzzy Hash: df9ef9ec50f85cf037f6f6f6eaf5334021811e1beefc7231caebc90920dad6bf
                  • Instruction Fuzzy Hash: 9201F711F0EB898FF765777848352B42A91AF59700F1A00FAD059C75E7DD2D6C85C342
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B881418 Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 1140a0fc489f317be8c92053847bf6ff11cf08ff39fc382d48e5903b14cadfb3
                  • Instruction ID: 5d269686e92617ae855e57912c2374ad776a4c427d298ee15af6f1c80b97905d
                  • Opcode Fuzzy Hash: 1140a0fc489f317be8c92053847bf6ff11cf08ff39fc382d48e5903b14cadfb3
                  • Instruction Fuzzy Hash: 32F08170E0D80A8BE375EB5884616B873A2EF9C310F614574C02DC71E5DF38B9428791
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B881101 Relevance: .0, Instructions: 24COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 9e9d6056080527162c64df3ce5d08f909bdc1a4620bc7c28024b733e6cb84f67
                  • Instruction ID: a7e81d8095fb0bc074716db242155c099fb60a004a2eb86e6bb28a80b78391d4
                  • Opcode Fuzzy Hash: 9e9d6056080527162c64df3ce5d08f909bdc1a4620bc7c28024b733e6cb84f67
                  • Instruction Fuzzy Hash: A0E0CD3586E7CD4FE7A29F5488261D9BF60FF59200F4511CFE55887053DA2596184382
                  Uniqueness

                  Uniqueness Score: -1.00%

                  Function 00007FFD9B880540 Relevance: .0, Instructions: 14COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.4068588495.00007FFD9B880000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FFD9B880000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_7ffd9b880000_bUrP.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: d0e46dc64f8a2847caa49296849c7220a4199954dda86525dd6ff78812fcc25f
                  • Instruction ID: cf6551d0e25fab144161bf60aa64b36dab938327fb4c14cf1950cc6903dc1d87
                  • Opcode Fuzzy Hash: d0e46dc64f8a2847caa49296849c7220a4199954dda86525dd6ff78812fcc25f
                  • Instruction Fuzzy Hash: 7DD05EA0E1F84A53F33577B14825ABA29A58FCD744F160074E02D964EA9E7C2A4443A1
                  Uniqueness

                  Uniqueness Score: -1.00%