Report #13103

(1)

Binary

DLL False

Size 71.50KB

trid 41.0% Win32 Executable MS Visual C++

36.3% Win64 Executable

8.6% Win32 Dynamic Link Library 5.9% Win32 Executable

2.6% OS/2 Executable

type PE

wordsize 32

Subsystem Windows GUI

Hashes

md5 d35833e98209e9267c4fe5c2c3e88ae9

sha1 2904327b36327b9e40ae4c4216e369d4a26f5191

crc32 0xd96bde1e

sha224 7ad7fafde138296ef60bbd70fd24f114558c19921a6b757462ad8fcb

sha256 63de0e29608ba9702fc0996460271886d1f5c8809788be035105bc317a47a 5cd

sha384 43f9e4f104308f8648eca07bcd3b22e73bae12c333d8e3407492d25ee05172 37a0b14c17af944c123f261d25e1970e3f

sha512 cfded83278db13ad7a6d9738097e8743edb7e2d738f45bf2dda400588b931 304f9d398a20d5239331af9e8a4e2be588820e5bfd7094500bc751279876a 2ddc75

ssdeep 1536:82tDEGcbBM8T2ZKpUZir/QxkvsKp00l3uU1HIED1fCbWpygzU:NeGcbBI KSK+SJj16bE

Report #13103

Creation Date: Aug. 20, 2021, 1:17 a.m.

Last Update: Aug. 20, 2021, 1:34 a.m.

File:

dpapimig.exe Results:

(2)

Community

Google False

HashLib False

YARA

Matches domain, win_token, contentis_base64, win_registry, HasDebugData, IP, IsPE 32, IsWindowsGUI, HasRichSignature

Suspicious True

Imports

DUI70.dll StrToID, ?GetEncodedContentString@Element@DirectUI@@QAEJPAGI@Z, ?F indDescendent@Element@DirectUI@@QAEPAV12@G@Z, ?DestroyCP@Task Page@DirectUI@@EAEXXZ, ?CreateParserCP@TaskPage@DirectUI@@EAEJP APAVDUIXmlParser@2@@Z, ?CreateDUICP@TaskPage@DirectUI@@EAEJPAV HWNDElement@2@PAUHWND__@@1PAPAVElement@2@PAPAVDUIXmlPars er@2@@Z, ?Click@Button@DirectUI@@SG?AVUID@@XZ, ?LoadParser@Tas kPage@DirectUI@@MAEJPAPAVDUIXmlParser@2@@Z, ?PropSheet_SendMes sage@TaskPage@DirectUI@@IAEJIIJ@Z, ?DUICreatePropertySheetPage@Tas kPage@DirectUI@@QAEJPAUHINSTANCE__@@@Z, ?SetVisible@Element@Di rectUI@@QAEJ_N@Z, ?SetLayoutPos@Element@DirectUI@@QAEJH@Z, ?Set ContentString@Element@DirectUI@@QAEJPBG@Z, ?SetEnabled@Element

@DirectUI@@QAEJ_N@Z, ?SetMaxLength@Edit@DirectUI@@QAEJH@Z, ?Lo adPage@TaskPage@DirectUI@@MAEJPAVHWNDElement@2@PAUHINSTANC E__@@PAPAVElement@2@PAPAVDUIXmlParser@2@@Z, ?InitPropSheetPage

@TaskPage@DirectUI@@MAEXPAU_PROPSHEETPAGEW@@@Z, ?OnQueryCa ncel@TaskPage@DirectUI@@MAEJXZ, ?OnReset@TaskPage@DirectUI@@MA EJXZ, ?OnWizBack@TaskPage@DirectUI@@MAEJXZ, ?OnWizFinish@TaskPag e@DirectUI@@MAEJXZ, ?OnWizNext@TaskPage@DirectUI@@MAEJXZ, ?OnQ ueryInitialFocus@TaskPage@DirectUI@@MAEPAVElement@2@XZ, ?OnMess age@TaskPage@DirectUI@@MAE_NIIJPAJ@Z, ?OnListenerAttach@TaskPage

@DirectUI@@MAEXPAVElement@2@@Z, ?OnListenerDetach@TaskPage@Di rectUI@@MAEXPAVElement@2@@Z, ?OnListenedPropertyChanging@TaskP age@DirectUI@@MAE_NPAVElement@2@PBUPropertyInfo@2@HPAVValue@

2@2@Z, ?OnListenedPropertyChanged@TaskPage@DirectUI@@MAEXPAVEl ement@2@PBUPropertyInfo@2@HPAVValue@2@2@Z, ?OnListenedInput@T askPage@DirectUI@@MAEXPAVElement@2@PAUInputEvent@2@@Z, UnInit Thread, InitThread, ??1TaskPage@DirectUI@@UAE@XZ, UnInitProcessPriv, ?

?0TaskPage@DirectUI@@QAE@XZ, InitProcessPriv

ole32.dll CoInitialize

USER32.dll LoadIconW, LoadStringW, MessageBoxW, PostMessageW

msvcrt.dll _callnewh, malloc, wcsncmp, ?terminate@@YAXXZ, free, _XcptFilter, __p__c ommode, _controlfp, memset, _except_handler4_common, _acmdln, _initter m, __setusermatherr, _ismbblead, __p__fmode, _cexit, _exit, exit, __set_app

(3)

_type, __getmainargs, _amsg_exit

samcli.dll NetUserModalsGet

CRYPT32.dll CryptUpdateProtectedState

SHELL32.dll CommandLineToArgvW

ADVAPI32.dll GetTokenInformation, GetSidIdentifierAuthority, RegEnumValueW, OpenThr eadToken, GetLengthSid, ConvertSidToStringSidW, RegOpenKeyExW, OpenP rocessToken, IsValidSid, RegDeleteTreeW, RegEnumKeyExW, ConvertStringS idToSidW, CopySid, GetSidSubAuthority, GetSidSubAuthorityCount, RegClos eKey

KERNEL32.dll GetCommandLineW, GetCurrentProcess, CompareStringOrdinal, GetCurrent Thread, CloseHandle, LocalAlloc, GetLastError, LocalFree

netutils.dll NetApiBufferFree

api-ms-win-core-com-l1-1-0.dll CoUninitialize api-ms-win-core-synch-l1-2-0.dll Sleep

api-ms-win-core-profile-l1-1-0.dl l

QueryPerformanceCounter

api-ms-win-core-sysinfo-l1-1-0.d ll

GetSystemTimeAsFileTime, GetTickCount

api-ms-win-core-errorhandling-l 1-1-0.dll

SetUnhandledExceptionFilter, UnhandledExceptionFilter

api-ms-win-core-libraryloader-l1 -2-0.dll

GetModuleHandleW

api-ms-win-core-processthreads -l1-1-0.dll

GetCurrentThreadId, GetStartupInfoW, TerminateProcess, GetCurrentProces sId

Strings

List

dpapimig.pdb CRYPT32.dll JJ.TC

COMCTL32.dll netutils.dll DUI70.dll dpapimig.exe samcli.dll

Software\Microsoft\Windows NT\CurrentVersion\DPAPI\MigratedUsers

<element id="atom(errorstatusicon)" accessible="true" accrole="graphic" accname="resstr(1602)" accDesc="res

(4)

str(1616)" content="icon(103,sysmetric(49),sysmetric(50),library(user32.dll))" layoutpos="none"/>

<element id="atom(warnstatusicon)" accessible="true" accrole="graphic" accname="resstr(1601)" accDesc="res str(1614)" content="icon(101,sysmetric(49),sysmetric(50),library(user32.dll))" layoutpos="client" visible="false"/

>

<assemblyIdentity name="Microsoft.Windows.DS.dpapimig"

name="Microsoft.Windows.Common-Controls"

*o%n1

api-ms-win-core-processthreads-l1-1-0.dll api-ms-win-core-sysinfo-l1-1-0.dll

api-ms-win-core-libraryloader-l1-2-0.dll api-ms-win-core-errorhandling-l1-1-0.dll

<description>dpapimig.exe</description>

api-ms-win-core-profile-l1-1-0.dll api-ms-win-core-synch-l1-2-0.dll api-ms-win-core-com-l1-1-0.dll

?OnListenedPropertyChanging@TaskPage@DirectUI@@MAE_NPAVElement@2@PBUPropertyInfo@2@HPAVValue@2

@2@Z

?OnListenedPropertyChanged@TaskPage@DirectUI@@MAEXPAVElement@2@PBUPropertyInfo@2@HPAVValue@2@

2@Z

?OnListenerAttach@TaskPage@DirectUI@@MAEXPAVElement@2@@Z

?OnListenedInput@TaskPage@DirectUI@@MAEXPAVElement@2@PAUInputEvent@2@@Z

?OnListenerDetach@TaskPage@DirectUI@@MAEXPAVElement@2@@Z

publicKeyToken="6595b64144ccf1df"

_acmdln usernameText userName UserName

OpenProcessToken TerminateProcess machineName

<element id="atom(userName)" padding="rect(0rp,0rp,10rp,0rp)" content="resstr(1609)" contentalign="wrapleft

" accrole="statictext" accessible="true" layoutpos="client"/>

passwordText password

RegEnumKeyExW RegOpenKeyExW GetModuleHandleW QueryPerformanceCounter

GetTickCount

Sleep

<element resid="page1" id="atom(wizardroot)" sheet="common" layout="borderlayout()" width="563rp" height

="300rp">

?DestroyCP@TaskPage@DirectUI@@EAEXXZ

<requestedExecutionLevel

10.0.19041.1 (WinBuild.160101.0800)

(5)

version="5.1.0.0"

version="6.0.0.0"

__p__commode _callnewh

?OnQueryInitialFocus@TaskPage@DirectUI@@MAEPAVElement@2@XZ _initterm

<aZY`onn_

processorArchitecture="*"

__p__fmode

</duixml>

10.0.19041.1

0 0$0(0,0004080<0@0D0H0L0P0T0X0\0`0d0 _ismbblead

.CRT$XIAA .CRT$XCAA __setusermatherr

</dependentAssembly>

language="*" />

_controlfp __set_app_type _amsg_exit

?OnWizFinish@TaskPage@DirectUI@@MAEJXZ

?OnQueryCancel@TaskPage@DirectUI@@MAEJXZ __getmainargs

</style>

_XcptFilter

?OnWizBack@TaskPage@DirectUI@@MAEJXZ

?OnWizNext@TaskPage@DirectUI@@MAEJXZ

?OnMessage@TaskPage@DirectUI@@MAE_NIIJPAJ@Z .rdata$brc

uiAccess="false"

</dependency>

?terminate@@YAXXZ

?HTi"G

level="asInvoker"

?OnReset@TaskPage@DirectUI@@MAEJXZ

</stylesheets>

Microsoft

Microsoft Corporation

Foremost

Matches 0.exe, 71 KB, 63.png, 23 KB

Suspicious True

Heuristics

IPs hasIPs: False

Allowed Suspicious

(6)

hasAllowed: False hasSuspicious: False

URLs Allowed

hasURLs: False Suspicious

hasAllowed: False hasSuspicious: False

Files Allowed: api-ms-win-core-synch-l1-2-0.dll, ADVAPI32.dll, ole32.dll, USER32.

dll, SHELL32.dll, KERNEL32.dll, api-ms-win-core-processthreads-l1-1-0.dll, C OMCTL32.dll, CRYPT32.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-cor e-sysinfo-l1-1-0.dll, DUI70.dll, msvcrt.dll, api-ms-win-core-libraryloader-l1-2- 0.dll, api-ms-win-core-com-l1-1-0.dll, samcli.dll, netutils.dll, api-ms-win-core -errorhandling-l1-1-0.dll

hasFiles: True Suspicious

hasAllowed: True hasSuspicious: False

Binary

Sizes RVA

RVA: 16

Suspicious: False Code

Size: 64000

Suspicious: False Image

Address: 4194304 Suspicious: False Stack

Stack: 8192 Suspicious: False Headers

Headers: 1024 Suspicious: False Suspicious: False

Symbols Number

Number: 0

Suspicious: True Pointer

Pointer: 0

Suspicious: True Directories Number: 16 Suspicious: False

Checksum Value: 108905

Suspicous: False

(7)

Sections Allowed: .text, .data, .idata, .rsrc, .reloc Suspicious

hasAllowed: True hasSections: True hasSuspicious: False

Versions OS

Version: 10

Suspicious: False Image

Version: False Suspicious: 10 Linker

Version: 14.20 Suspicious: False Subsystem

Version: 10.0 Suspicious: False Suspicious: False

EntryPoint Address: 10416

Suspicious: False

Anomalies Anomalies

hasAnomalies: False

Libraries Allowed: api-ms-win-core-synch-l1-2-0.dll, advapi32.dll, ole32.dll, user32.d ll, shell32.dll, kernel32.dll, api-ms-win-core-processthreads-l1-1-0.dll, comct l32.dll, crypt32.dll, api-ms-win-core-profile-l1-1-0.dll, api-ms-win-core-sysinf o-l1-1-0.dll, dui70.dll, msvcrt.dll, api-ms-win-core-com-l1-1-0.dll, samcli.dll, netutils.dll, api-ms-win-core-errorhandling-l1-1-0.dll

hasLibs: True

Suspicious: api-ms-win-core-libraryloader-l1-2-0.dll hasAllowed: True

hasSuspicious: True

Timestamp Past: False

Valid: True

Value: 2047-01-21 21:41:56 Future: True

Compilation Packed: False

Missing: False Packers

Compiled: True

Compilers: Microsoft Visual C++ 8

Obfuscation XOR: False

Fuzzing: False

(8)

PEDetector

Matches None

Suspicious False

Disassembly

hasTricks True

Tricks

pushret .rsrc: 12

.text: 2

pushpopmath .rsrc: 13

ss register .rsrc: 1

garbagebytes .rsrc: 5

.text: 1

programcontrolflowchange .rsrc: 5 .text: 1

cpuinstructionsresultscomparison .rsrc: 12

AVclass

None 1

VirusTotal

md5 d35833e98209e9267c4fe5c2c3e88ae9

sha1 2904327b36327b9e40ae4c4216e369d4a26f5191

SCANS (DETECTION RATE = 0.00%)

CMC update: 20210506

version: 2.10.2019.1 detected: False

(9)

MAX update: 20210614 version: 2019.9.16.1 detected: False

APEX update: 20210613

version: 6.174 detected: False

Bkav update: 20210612

K7GW update: 20210614

version: 11.187.37441 detected: False

ALYac update: 20210614

Avast update: 20210614

Avira update: 20210613

Baidu update: 20190318

Cynet update: 20210614

Cyren update: 20210614

DrWeb update: 20210614

GData update: 20210614

(10)

version: A:25.29950B:27.23352 detected: False

Panda update: 20210613

VBA32 update: 20210611

VIPRE update: 20210614

version: 93278 detected: False

Zoner update: 20210613

ClamAV update: 20210613

Comodo update: 20210613

Ikarus update: 20210613

Lionic update: 20210614

McAfee update: 20210614

Rising update: 20210614

Sophos update: 20210613

version: 1.0.2.0

(11)

detected: False

Yandex update: 20210613

Zillya update: 20210611

Acronis update: 20210512

Alibaba update: 20190527

Arcabit update: 20210614

Cylance update: 20210614

Elastic update: 20210524

FireEye update: 20210614

Sangfor update: 20210607

TACHYON update: 20210614

version: 2021-06-14.01 detected: False

Tencent update: 20210614

(12)

ViRobot update: 20210614 version: 2014.3.20.0 detected: False

Webroot update: 20210614

eGambit update: 20210614

detected: False

Ad-Aware update: 20210614

Emsisoft update: 20210614

F-Secure update: 20210614

Fortinet update: 20210614

Jiangmin update: 20210613

Kingsoft update: 20210614

Paloalto update: 20210614

Symantec update: 20210613

(13)

AhnLab-V3 update: 20210614 version: 3.20.2.10137 detected: False

Antiy-AVL update: 20210614

Kaspersky update: 20210614

MaxSecure update: 20210612

Microsoft update: 20210614

Qihoo-360 update: 20210614

ZoneAlarm update: 20210614

Cybereason update: 20210330

ESET-NOD32 update: 20210614

Gridinsoft update: 20210614

TrendMicro update: 20210614

BitDefender update: 20210614

(14)

CrowdStrike update: 20210203

K7AntiVirus update: 20210614

SentinelOne update: 20210518

Malwarebytes update: 20210614

CAT-QuickHeal update: 20210613

NANO-Antivirus update: 20210614

BitDefenderTheta update: 20210610 version: 7.2.37796.0 detected: False

MicroWorld-eScan update: 20210614 version: 14.0.409.0 detected: False

SUPERAntiSpyware update: 20210612 version: 5.6.0.1032 detected: False

McAfee-GW-Edition update: 20210613 version: v2019.1.2+3728 detected: False

TrendMicro-HouseCall update: 20210614 version: 10.0.0.1040

(15)

detected: False

total 69

sha256 63de0e29608ba9702fc0996460271886d1f5c8809788be035105bc317a47a 5cd

scan_id 63de0e29608ba9702fc0996460271886d1f5c8809788be035105bc317a47a 5cd-1623647588

resource d35833e98209e9267c4fe5c2c3e88ae9

permalink https://www.virustotal.com/gui/file/63de0e29608ba9702fc0996460271886d 1f5c8809788be035105bc317a47a5cd/detection/f-63de0e29608ba9702fc09 96460271886d1f5c8809788be035105bc317a47a5cd-1623647588

positives 0

scan_date 2021-06-14 05:13:08

verbose_msg Scan finished, information embedded

response_code 1

File

Trace

20/8/2021 - 0:45:43.

497

Un kn ow n

4 C:\Users\Behemot\Desktop\desktop.ini

20/8/2021 - 0:45:43.

497

Un kn ow n

4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 0:45:45.

497

Wri

te 4 C:\Windows

20/8/2021 - 0:45:48.

856

Op en

2 9 2 8

C:\Windows\System32\s

vchost.exe C:\Monitor\WKCD_Load_Use.exe

20/8/2021 - 0:45:48.

856

Un kn ow n

2 9 2 8

vchost.exe C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

(16)

20/8/2021 - 0:45:48.

856

Op en

2 9 2 8

20/8/2021 - 0:45:48.

856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

856

Op en

2 9 2 8

20/8/2021 - 0:45:48.

856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

856

Op en

2 9 2 8

20/8/2021 - 0:45:48.

856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

856

Op en

2 9 2 8

20/8/2021 - 0:45:48.

856

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

856

Op en

2 9 2 8

vchost.exe C:\Windows\Temp\TMP000000A2F27954F4B4C5FD26

20/8/2021 - 0:45:48.

872

Un kn ow n

2 9 2 8

TMP000000A2F 27954F4B4C5F D26

20/8/2021 - 0:45:48.

872

Op en

2 9 2 8

2

(17)

20/8/2021 - 0:45:48.

872

Op en

9 2 8

20/8/2021 - 0:45:48.

872

Re ad

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

872

Re ad

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

872

Re ad

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

872

Re ad

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

872

Op en

2 9 2 8

vchost.exe C:\Windows\Temp\TMP000000A30415A103D3F52066

20/8/2021 - 0:45:48.

872

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

20/8/2021 - 0:45:48.

872

Op en

2 9 2 8

vchost.exe C:\Monitor\WKCD_Load_Use.exe:Zone.Identifier

20/8/2021 - 0:45:48.

872

Op en

2 9 2 8

20/8/2021 - 0:45:48.

872

Re ad

2 9 2 8

20/8/2021 - 0:45:48.

872

Un kn ow n

2 9 2 8

TMP000000A3 0415A103D3F5 2066

20/8/2021 Un 2

(18)

- 0:45:48.

872

kn ow n

9 2 8

C:\Windows\System32\s vchost.exe

C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

20/8/2021 - 0:45:48.

872

Op en

2 9 2 8

20/8/2021 - 0:45:48.

872

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

872

Op en

2 9 2 8

20/8/2021 - 0:45:48.

872

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

872

Op en

2 9 2 8

20/8/2021 - 0:45:48.

872

Un kn ow n

2 9 2 8

e.exe

20/8/2021 - 0:45:48.

887

Un kn ow n

2 9 2 8

TMP000000A2F 27954F4B4C5F D26

20/8/2021 - 0:45:48.

887

Wri te

2 9 4 8

C:\Monitor\WKCD_Load_

Use.exe C:\Monitor\Files\Logs\File.log

20/8/2021 - 0:45:49.

497

Un kn ow n

4 C:\Monitor\WKCD_Load_Use.exe WKCD_Load_Us

e.exe

20/8/2021 - 0:45:49.

497

Wri

te 4 C:\Monitor\Files\Logs\File.log

20/8/2021 - 0:45:49.

Un kn

ow 4 C:\Monitor\Files\Logs\File.log

(19)

497 n

20/8/2021 - 0:45:51.

465

Wri

te 4 C:\Users\Behemot

20/8/2021 - 0:45:53.

325

Op en

7 9 6

C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782 7.pf

20/8/2021 - 0:45:53.

325

Op en

7 9 6

20/8/2021 - 0:45:53.

325

Wri te

7 9 6

WKCD_LOAD_U SE.EXE-695C78 27.pf

20/8/2021 - 0:45:53.

325

Un kn ow n

7 9 6

20/8/2021 - 0:45:53.

340

Op en

7 9 6

vchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

20/8/2021 - 0:45:53.

340

Un kn ow n

7 9 6

vchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE- 1F3E9D7E.pf

20/8/2021 - 0:45:53.

340

Op en

7 9 6

vchost.exe C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf

20/8/2021 - 0:45:53.

340

Wri te

7 9 6

20/8/2021 - 0:45:53.

340

Un kn ow n

7 9 6

20/8/2021 - 0:45:53.

497

Wri

te 4 C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

7.pf

20/8/2021 - 0:45:53.

497

Wri

te 4 C:\Windows\Prefetch\CONHOST.EXE-1F3E9D7E.pf CONHOST.EXE-

1F3E9D7E.pf

20/8/2021 - 0:45:53.

Un

kn C:\Windows\Prefetch\WKCD_LOAD_USE.EXE-695C782

WKCD_LOAD_U SE.EXE-695C78

(20)

497 ow n

4 7.pf 27.pf

20/8/2021 - 0:45:53.

497

Un kn ow n

20/8/2021 - 0:45:53.

497

Un kn ow n

20/8/2021 - 0:45:53.

497

Wri te

2 9 4 8

20/8/2021 - 0:45:53.

497

Wri te

2 9 4 8

20/8/2021 - 0:45:53.

856

Op en

2 9 2 8

vchost.exe C:\Windows\System32\conhost.exe

20/8/2021 - 0:45:53.

856

Op en

2 9 2 8

20/8/2021 - 0:45:53.

856

Op en

2 9 2 8

20/8/2021 - 0:45:53.

856

Op en

2 9 2 8

20/8/2021 - 0:45:55.

497

Wri

20/8/2021 - 0:45:55.

497

Un kn ow n

4 C:\Monitor\Files\Logs\File.log

20/8/2021 - 0:45:56.

965

Wri

te 4 C:\Monitor

(21)

20/8/2021 - 0:45:59.

528

Wri te

6 8 4

vchost.exe C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 0:45:59.

528

Wri te

6 8 4

vchost.exe C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 0:45:59.

528

Wri te

6 8 4

vchost.exe C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 0:45:59.

528

Wri te

6 8 4

vchost.exe C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 0:46:1.4 97

Wri

te 4 C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 0:46:1.4 97

Wri

te 4 C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 0:46:3.4 65

Wri

te 4 C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 0:46:3.4 65

Wri

te 4 C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 0:46:3.4 65

Un kn ow n

4 C:\Windows\System32\winevt\Logs\System.evtx

20/8/2021 - 0:46:3.4 65

Un kn ow n

4 C:\Windows\System32\winevt\Logs\Security.evtx

20/8/2021 - 0:46:7.2 15

Wri

te 4 C:\Windows\Temp

20/8/2021 - 0:46:17.

465

Wri te

6 8 4

C:\Windows\ServiceProfiles\LocalService\AppData\Loc al\lastalive0.dat

20/8/2021 - 0:46:19.

481

Wri

te 4 C:\Windows

(22)

20/8/2021 - 0:46:27.

418

Wri

te 4 C:\System Volume Information\Syscache.hve.LOG1

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

20/8/2021 - 0:46:27.

418

Wri

te 4 C:\System Volume Information\Syscache.hve

20/8/2021 - 0:46:27.

434

Wri

20/8/2021 - 0:46:27.

434

Wri

20/8/2021 - 0:46:27.

434

Wri

(23)

20/8/2021 - 0:46:27.

434

Wri

20/8/2021 - 0:46:27.

434

Wri

20/8/2021 - 0:46:27.

434

Wri

20/8/2021 - 0:46:27.

434

Wri

20/8/2021 - 0:46:27.

434

Wri

20/8/2021 - 0:46:27.

434

Wri te

2 9 4 8

20/8/2021 - 0:46:27.

528

Wri

20/8/2021 - 0:46:30.

434

Wri

20/8/2021 - 0:46:30.

434

Un kn ow n

20/8/2021 - 0:46:37.

528

Wri

te 4 C:\Windows\System32\config\SYSTEM.LOG1

20/8/2021 - 0:46:37.

528

Wri

20/8/2021 - 0:46:37.

528

Wri

20/8/2021 - 0:46:37.

528

Wri

(24)

20/8/2021 - 0:46:37.

528

Wri te

4 C:\Windows\System32\config\SYSTEM

20/8/2021 - 0:46:37.

528

Wri

te 4 C:\Windows\System32\config\SYSTEM

20/8/2021 - 0:46:37.

528

Wri

20/8/2021 - 0:46:37.

528

Wri

20/8/2021 - 0:46:55.

715

Op en

5 2 8

C:\Windows\System32\

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

20/8/2021 - 0:46:55.

715

Un kn ow n

5 2 8

SearchIndexer.exe C:\ProgramData\Microsoft\Search\Data

20/8/2021 - 0:47:17.

481

Wri te

6 8 4

20/8/2021 - 0:47:27.

559

Op en

1 8 6 4

C:\Windows\explorer.ex

e C:\

20/8/2021 - 0:47:27.

559

Un kn ow n

1 8 6 4

e C:\

20/8/2021 - 0:47:32.

809

Op en

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 0:47:32.

809

Op en

1 8 6 4

e C:\Users\Behemot

20/8/2021 - 0:47:32.

809

Un kn ow n

1 8 6 4

e C:\Users\Behemot

20/8/2021 Op

1

8 C:\Windows\explorer.ex

(25)

- 0:47:32.

809

en 6 4

e C:\Users\Behemot\AppData\Roaming

20/8/2021 - 0:47:32.

809

Op en

1 8 6 4

20/8/2021 - 0:47:32.

809

Un kn ow n

1 8 6 4

20/8/2021 - 0:47:32.

809

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes

20/8/2021 - 0:47:32.

809

Op en

1 8 6 4

C:\Windows\explorer.ex e

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Themes\slideshow.ini

20/8/2021 - 0:47:35.

856

Op en

7 9 6

vchost.exe C:\Windows\CSC\v2.0.6\namespace

20/8/2021 - 0:47:35.

856

Un kn ow n

7 9 6

20/8/2021 - 0:47:35.

856

Un kn ow n

7 9 6

20/8/2021 - 0:47:35.

856

Op en

7 9 6

vchost.exe \Device\Mup\.\.\

20/8/2021 - 0:47:35.

856

Op en

7 9 6

20/8/2021 - 0:47:35.

856

Un kn ow n

7 9 6

20/8/2021 - 0:47:35.

856

Un kn ow n

7 9 6

(26)

20/8/2021 - 0:47:35.

856

Un kn ow n

7 9 6

20/8/2021 - 0:47:35.

856

Wri te

2 9 4 8

20/8/2021 - 0:47:35.

856

Wri te

2 9 4 8

20/8/2021 - 0:47:38.

887

Wri

20/8/2021 - 0:47:38.

887

Un kn ow n

20/8/2021 - 0:47:40.

247

Re ad

1 2 3 2

C:\Program Files\Windo ws Media Player\wmpn etwk.exe

C:\Program Files\Windows Media Player\wmpnetwk.e xe

20/8/2021 - 0:47:58.

137

Op en

1 8 6 4

e C:\Windows\System32\netprofm.dll

20/8/2021 - 0:47:58.

137

Op en

1 8 6 4

e C:\Windows\System32\netprofm.dll

20/8/2021 - 0:47:58.

418

Wri te

2 9 4 8

Use.exe C:\Monitor\Files\Logs\Registry.log

20/8/2021 - 0:47:59.

497

Re ad

6 8 4

C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 0:48:1.4 18

Wri

te 4 C:\Monitor\Files\Logs\Registry.log

20/8/2021 - 0:48:1.4 18

Un kn ow n

4 C:\Monitor\Files\Logs\Registry.log

(27)

20/8/2021 - 0:48:3.3 25

Wri

te 4 C:\Users\Behemot\ntuser.dat.LOG1

20/8/2021 - 0:48:3.3 25

Wri

20/8/2021 - 0:48:3.3 25

Wri

20/8/2021 - 0:48:3.3 25

Wri

20/8/2021 - 0:48:3.3 25

Wri

te 4 C:\Users\Behemot\NTUSER.DAT

20/8/2021 - 0:48:3.3 25

Wri

20/8/2021 - 0:48:3.3 25

Wri

20/8/2021 - 0:48:3.3 25

Wri

20/8/2021 - 0:48:11.

309

Op

en 4 \Device\HarddiskVolume1\System Volume Informatio n

20/8/2021 - 0:48:11.

309

Un kn ow n

4 \Device\HarddiskVolume1\System Volume Informatio n

20/8/2021 - 0:48:13.

59

Op

en 4 C:\System Volume Information

20/8/2021 - 0:48:13.

59

Op

en 4 C:\System Volume Information\{3808876b-c176-4e4 8-b7ae-04046e6cc752}

20/8/2021 - 0:48:13.

59

Op en 4

C:\System Volume Information\{bcf7d7ec-4f18-11e8- 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0 4046e6cc752}

20/8/2021 C:\System Volume Information\{bcf7d7f0-4f18-11e8-

(28)

- 0:48:13.

59

Op en

4 8b8a-525400842a13}{3808876b-c176-4e48-b7ae-0

4046e6cc752}

20/8/2021 - 0:48:13.

59

Un kn ow n

4 C:\System Volume Information

20/8/2021 - 0:48:13.

59

Wri te

2 9 4 8

20/8/2021 - 0:48:14.

465

Wri

20/8/2021 - 0:48:14.

465

Un kn ow n

20/8/2021 - 0:48:17.

481

Wri te

6 8 4

20/8/2021 - 0:48:29.

59

Wri

te 4 C:\Users\Behemot

20/8/2021 - 0:48:29.

575

Wri te

6 8 4

20/8/2021 - 0:48:29.

575

Wri te

6 8 4

20/8/2021 - 0:48:29.

575

Wri te

6 8 4

20/8/2021 - 0:48:30.

856

Op en

7 9 6

20/8/2021 - 0:48:30.

856

Un kn ow n

7 9 6

20/8/2021 - 0:48:30.

856

Un kn ow n

7 9 6

(29)

20/8/2021 - 0:48:30.

856

Op en

7 9 6

20/8/2021 - 0:48:30.

856

Op en

7 9 6

20/8/2021 - 0:48:30.

856

Un kn ow n

7 9 6

20/8/2021 - 0:48:30.

856

Op en

7 9 6

20/8/2021 - 0:48:30.

856

Un kn ow n

7 9 6

20/8/2021 - 0:48:30.

856

Un kn ow n

7 9 6

20/8/2021 - 0:48:30.

856

Un kn ow n

7 9 6

20/8/2021 - 0:48:30.

856

Un kn ow n

7 9 6

20/8/2021 - 0:48:32.

481

Wri

te 4 C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 0:48:32.

575

Wri

te 4 C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 0:48:32.

575

Un kn ow n

4 C:\Windows\System32\winevt\Logs\Microsoft-Window s-HomeGroup Provider Service%4Operational.evtx

20/8/2021 - 0:49:4.5 43

Wri

(30)

20/8/2021 - 0:49:4.5 43

Wri te

4 C:\Windows\System32\config\SYSTEM.LOG1

20/8/2021 - 0:49:4.5 43

Wri

20/8/2021 - 0:49:4.5 43

Wri

20/8/2021 - 0:49:4.5 43

Wri

20/8/2021 - 0:49:4.5 43

Wri

20/8/2021 - 0:49:4.5 43

Wri

20/8/2021 - 0:49:4.5 43

Wri te

2 9 4 8

20/8/2021 - 0:49:4.5 43

Wri

20/8/2021 - 0:49:7.5 75

Wri

20/8/2021 - 0:49:7.5 75

Un kn ow n

20/8/2021 - 0:49:17.

465

Wri te

6 8 4

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Windows\System32\t askhost.exe

C:\Users\Behemot\AppData\Local\Microsoft\Windows\

Temporary Internet Files\Content.IE5\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

Temporary Internet Files\Content.IE5\container.dat container.dat

(31)

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

History\History.IE5\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

History\History.IE5\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca che\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Feeds Ca

che\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatCache\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo

ws\IECompatCache\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IECompatUACache\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

ws\IECompatUACache\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\DNTException\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

ws\DNTException\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\Cookies\container.dat

(32)

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

ws\Cookies\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieSiteList\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E

xplorer\EmieSiteList\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\EmieUserList\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

xplorer\EmieUserList\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Local\Microsoft\Internet E xplorer\DOMStore\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

xplorer\DOMStore\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

History\History.IE5\MSHist012018050320180504\cont ainer.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

History\History.IE5\MSHist012018050320180504\cont ainer.dat

container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

C:\Users\Behemot\AppData\Roaming\Microsoft\Windo ws\IEDownloadHistory\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

ws\IEDownloadHistory\container.dat container.dat

1

(33)

20/8/2021 - 0:49:20.

700

Op en

7 9 6

AppCache\B2419NGQ\container.dat

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

AppCache\B2419NGQ\container.dat container.dat

20/8/2021 - 0:49:20.

700

Op en

1 7 9 6

WebCache

20/8/2021 - 0:49:20.

700

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 0:49:20.

700

Wri te

2 9 4 8

20/8/2021 - 0:49:20.

747

Wri te

1 7 9 6

WebCache\WebCacheV01.dat

20/8/2021 - 0:49:20.

747

Wri

te 4 C:\Users\Behemot\AppData\Local\Microsoft\Windows\

20/8/2021 - 0:49:20.

840

Wri te

1 7 9 6

20/8/2021 - 0:49:20.

840

Wri

20/8/2021 - 0:49:20.

934

Wri te

1 7 9 6

20/8/2021 - 0:49:20.

934

Wri

20/8/2021 - 0:49:20.

934

Wri te

1 7 9 6

WebCache\V01.log

(34)

20/8/2021 - 0:49:20.

934

Wri

WebCache\V01.log

20/8/2021 - 0:49:20.

934

Re ad

1 7 9 6

20/8/2021 - 0:49:20.

981

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 0:49:20.

981

Wri

WebCache\V01.log

20/8/2021 - 0:49:20.

981

Wri te

1 7 9 6

WebCache\V01.log

20/8/2021 - 0:49:20.

981

Wri

WebCache\V01.log

20/8/2021 - 0:49:20.

981

Wri te

2 9 4 8

20/8/2021 - 0:49:20.

981

Wri te

2 9 4 8

20/8/2021 - 0:49:21.

28

Wri te

1 7 9 6

20/8/2021 - 0:49:21.

28

Wri

20/8/2021 - 0:49:21.

75

Op en

1 7 9 6

20/8/2021 - 0:49:21.

75

Un kn ow n

1 7 9 6

(35)

20/8/2021 - 0:49:21.

75

Op en

1 7 9 6

WebCache

20/8/2021 - 0:49:21.

75

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 0:49:21.

75

Op en

1 7 9 6

20/8/2021 - 0:49:21.

75

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:23.

715

Wri

20/8/2021 - 0:49:23.

715

Un kn ow n

20/8/2021 - 0:49:25.

872

Un kn ow n

2 3 6 0

audiodg.exe C:\Windows

20/8/2021 - 0:49:30.

747

Wri te

1 7 9 6

20/8/2021 - 0:49:30.

747

Wri

20/8/2021 - 0:49:30.

793

Wri te

1 7 9 6

20/8/2021 - 0:49:30.

793

Wri

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache\V01.chk

(36)

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache\V01.chk

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

WebCache

(37)

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

WebCache

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

WebCache

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

C:\Windows\System32\t

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft\Windows

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

1

(38)

20/8/2021 - 0:49:30.

840

Op en

7 9 6

askhost.exe C:\Users\Behemot\AppData\Local\Microsoft

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData\Local

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 Un 1

(39)

- 0:49:30.

840

kn ow n

7 9 6

C:\Users\Behemot\AppData\Local

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

askhost.exe C:\Users\Behemot\AppData

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 Un 1

(40)

- 0:49:30.

840

kn ow n

7 9 6

C:\Users\Behemot\AppData

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

askhost.exe C:\Users\Behemot

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 Un 1

(41)

- 0:49:30.

840

kn ow n

7 9 6

C:\Users\Behemot

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

askhost.exe C:\Users

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 - 0:49:30.

840

Un kn ow n

1 7 9 6

20/8/2021 - 0:49:30.

840

Op en

1 7 9 6

20/8/2021 Un kn

1

7 C:\Windows\System32\t

(42)

- 0:49:30.

840

ow n

9 6

20/8/2021 - 0:49:30.

840

Wri te

1 7 9 6

WebCache\V01.chk

20/8/2021 - 0:49:30.

840

Wri

WebCache\V01.chk

20/8/2021 - 0:49:30.

840

Wri te

2 9 4 8

20/8/2021 - 0:49:30.

840

Wri te

1 7 9 6

WebCache\V01.chk

20/8/2021 - 0:49:30.

840

Wri

WebCache\V01.chk

20/8/2021 - 0:49:30.

856

Op en

7 9 6

20/8/2021 - 0:49:30.

856

Un kn ow n

7 9 6

20/8/2021 - 0:49:30.

856

Un kn ow n

7 9 6

20/8/2021 - 0:49:30.

856

Op en

7 9 6

20/8/2021 - 0:49:30.

856

Op en

7 9 6

20/8/2021 - 0:49:30.

856

Un kn ow n

7 9 6

20/8/2021 Un 7